Is there a way to log root commands from SSH on OpenVZ Node? I tried Snoopy and I was not able to exclude everything and leave only SSH commands.
@edit I want log ONLY commands sent through SSH/SFTP from remote host, because on my openvz node root is used to run many other commands locally. For example Snoopy is logging everything that happens on system (that is a lot of trash..), but I want to see what is done by any person on root by SSH/SFTP.
As Aaron says, you need auditd. Your question is not a duplicate of this other one I found, but the accepted answer is perfect for you:
Log all commands run by admins on production servers
And I just found this:
https://askubuntu.com/questions/422243/how-to-audit-tty-for-a-specified-user-in-ssh-connection
It demonstrates that you need to use PAM to target SSH in the way you want by adding something along the lines of this to your configuration.
/etc/pam.d/sshd
session required pam_tty_audit.so enable=*
