HOW TO : Log all commands issued in shell to syslog

Inspired from this blog post by Vaidas Jablonskis.  This tip has been tested on Redhat and Centos distributions.

If you ever wanted to log all the commands issued by users on a server, you can edit the default profile configuration to enable this

  • Edit /etc/bashrc file and add the following at the end of the file[code]PROMPT_COMMAND=’history -a >(logger -t "$USER[$$] $SSH_CONNECTION")’ [/code]
  • Log out and log back into your session
  • Now all your commands are logged in the default log file (/var/log/messages)

9 Replies to “HOW TO : Log all commands issued in shell to syslog”

  1. Hi Vinay,

    A different variant of your solution:

    Lets say you want to capture the command execution in a different file called “/var/log/usercommands”, instead of /var/log/messages. Here are the steps:

    Open the /etc/syslog.conf file and insert the syslog facility entry (local[0-6].info) as shown below:

    *.info;mail.none;authpriv.none;cron.none /var/log/messages
    local2.info /var/log/usercommands

    (Please note that you can use the Syslog facility “local0-6” for any purpose)

    After this, restart the ‘syslog’ service.

    Update the entry in /etc/bashrc as follows:
    PROMPT_COMMAND=’history -a >(logger -p local2.info -t “$USER[$PWD] $SSH_CONNECTION”)’

    Please note that I used $PWD instead $$.

  2. i have applied the procedure but then i realized that my history -a does not give anything thats why my commands file is empty
    then i tried echo “dd” > >(logger -p local2.info -t “$USER[$PWD] $SSH_CONNECTION”)’
    and then i got dd in the commands file
    any idea or work around?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.