How to Log all Bash History Commands to syslog (/var/log/messages) in CentOS/RHEL?

The user wants to see the list of commands used in the syslog messages. This way the user can audit user activities written in bash_history.

 

Solution

 

1. To log bash history to a syslog server, you can use the trap feature provided by Bash. Append the following lines into either the per-user or system-wide bash profile; ~/.bash_profile and /etc/profile file.

PORT=`who am i | awk '{ print $5 }' | sed 's/(//g' | sed 's/)//g'`
logger -p local7.notice -t "bash $LOGNAME $$" User $LOGNAME logged from $PORT
function history_to_syslog
{
declare cmd
declare p_dir
declare LOG_NAME
cmd=$(history 1)
cmd=$(echo $cmd |awk '{print substr($0,length($1)+2)}')
p_dir=$(pwd)
LOG_NAME=$(echo $LOGNAME)
if [ "$cmd" != "$old_command" ]; then
logger -p local7.notice -- SESSION = $$, from_remote_host = $PORT,  USER = $LOG_NAME,  PWD = $p_dir, CMD = "${cmd}"
fi
old_command=$cmd
}
trap history_to_syslog DEBUG || EXIT

 

Note:

 

This resolution spawns new process at each command logged, so it might not be a best solution if your system is in a heavy load.

 

2. To save this log messages into a particular log file, add below line in /etc/syslog.conf (for CentOS/RHEL 4/5) or /etc/rsyslog.conf (for CentOS/RHEL 6/7):

local7.notice                           /var/log/cmd.log

 

This will also log all the commands in the /var/log/messages file. To avoid these commands to be logged in into the /var/log/messages file, add below line in /etc/syslog.conf (for CentOS/RHEL 4/5) or /etc/rsyslog.conf (for CentOS/RHEL 6/7):

*.info;mail.none;authpriv.none;cron.none;local7.!notice                     /var/log/messages

 

This will not log the messages with priority notice or higher in /var/log/messages file.

 

3. Run below command to apply this change:

 

For CentOS/RHEL 4/5

# service syslog restart

 

For CentOS/RHEL 6

# service rsyslog restart

 

For CentOS/RHEL 7

# systemctl restart rsyslog

 

Note:

When a user login into the system without providing -, it will not check /etc/profile file and thus the commands will not be logged in the /var/log/cmd.log file. To log the commands after logging into the user without providing -, add the above trap in a file inside /etc/profile.d/ directory.

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)