Question: How to redirect the shell command history to Syslog?
There are several methods to do this. You can try with any one of the 3 methods below:
Method 1 – via rsyslog service
To use rsyslog for logging every shell command, just follow steps below:
1. Create a new rsyslog configuration file, and define the log file path. For example: /var/log/commands.log.
# vi /etc/rsyslog.d/bash.conf local6.* /var/log/commands.log
2. Edit the user’s ~/bashrc. Note: you need to edit each and every user’s ~/bashrc whoever needs such logs.
# vi ~/.bashrc
whoami="$(whoami)@$(echo $SSH_CONNECTION | awk '{print $1}')"
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$whoami [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
For example:
[root@hostname ~]# cat ~/.bashrc | tail -n2
whoami="$(whoami)@$(echo $SSH_CONNECTION | awk '{print $1}')"
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$whoami [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
[root@hostname ~]#
3. Restart rsyslog service
# systemctl restart rsyslog
All done. See the log format example below:
[root@hostname ~]# date Thu Apr 9 00:26:11 EDT 2020 [root@hostname ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.9 (Maipo)
[root@hostname ~]# tail -2 /var/log/commands.log Apr 9 00:26:11 hostname root: root@x.x.x.x [1643]: date [0] Apr 9 00:26:18 hostname root: root@x.x.x.x [1643]: cat /etc/redhat-release [0] [root@hostname ~]#
Method 2 – via bash shell option
1. Add ‘shopt -s syslog_history‘ into system-wide startup /etc/profile or personal initialization file ~/.bash_profile. For example:
[root@hostname ~]# cat /etc/profile | grep shopt shopt -s syslog_history
2. Logout and login again to refelct this option.
3. Log example:
[root@hostname ~]# pwd /root [root@hostname ~]# date Thu Apr 9 01:26:46 EDT 2020
[root@hostname ~]# tail -2 /var/log/messages Apr 9 01:26:46 hostname -bash: HISTORY: PID=1345 UID=0 date Apr 9 01:26:52 hostname -bash: HISTORY: PID=1345 UID=0 tail -2 /var/log/messages
[bob@hostname ~]$ tail -f /var/log/messages Apr 9 01:26:45 hostname -bash: HISTORY: PID=1345 UID=0 pwd Apr 9 01:26:46 hostname -bash: HISTORY: PID=1345 UID=0 date Apr 9 01:26:52 hostname -bash: HISTORY: PID=1345 UID=0 tail -2 /var/log/messages
Method 3 – via script command
In addition, if you only want to log a single terminal session, just try ‘script’ command as below, it is also easy to use and very helpful.
1. To begin logging, just run:
# script /tmp/screen.log
2. Now you can start your bash commands. Once finished, you can exit out:
# exit
It will then save all the session to a file /tmp/screen.log
3. Verify the outputs:
# cat /tmp/screen.log
For example:
[root@hostname ~]# script /tmp/screen.log Script started, file is /tmp/screen.log [root@hostname ~]# date Thu Apr 9 00:28:26 EDT 2020 [root@hostname ~]# whoami root [root@hostname ~]# exit exit Script done, file is /tmp/screen.log
[root@hostname ~]# cat /tmp/screen.log Script started on Thu 09 Apr 2020 12:28:23 AM EDT [root@hostname ~]# date Thu Apr 9 00:28:26 EDT 2020 [root@hostname ~]# whoami root [root@hostname ~]# exit exit Script done on Thu 09 Apr 2020 12:28:42 AM EDT [root@hostname ~]#