Inspired from this blog post by Vaidas Jablonskis. This tip has been tested on Redhat and Centos distributions.
If you ever wanted to log all the commands issued by users on a server, you can edit the default profile configuration to enable this
- Edit /etc/bashrc file and add the following at the end of the file[code]PROMPT_COMMAND=’history -a >(logger -t "$USER[$$] $SSH_CONNECTION")’ [/code]
- Log out and log back into your session
- Now all your commands are logged in the default log file (/var/log/messages)
Good one !
Tested this solution and added it in my blog 🙂
http://ashok-linux-tips.blogspot.com/2012/04/log-commands-executed-by-all-users.html
Nice :)..
Hi Vinay,
A different variant of your solution:
Lets say you want to capture the command execution in a different file called “/var/log/usercommands”, instead of /var/log/messages. Here are the steps:
Open the /etc/syslog.conf file and insert the syslog facility entry (local[0-6].info) as shown below:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
local2.info /var/log/usercommands
(Please note that you can use the Syslog facility “local0-6” for any purpose)
After this, restart the ‘syslog’ service.
Update the entry in /etc/bashrc as follows:
PROMPT_COMMAND=’history -a >(logger -p local2.info -t “$USER[$PWD] $SSH_CONNECTION”)’
Please note that I used $PWD instead $$.
Very nice.. thx for the tip.
Very useful tip thanks! But, can I capture also the “switch user” comman issued by any users?
Yes you can.
i have applied the procedure but then i realized that my history -a does not give anything thats why my commands file is empty
then i tried echo “dd” > >(logger -p local2.info -t “$USER[$PWD] $SSH_CONNECTION”)’
and then i got dd in the commands file
any idea or work around?
Buddy – Are you trying to log the entries to a remote server?