Syslog: log all bash history from every user

There are sometimes I wish I had kept all of my history actions within the last 3 days, or I wish I could supervise what an other user have done to a system, I tried to find a way to log all ssh sessions to the server, logging them to syslog and keeping any action performed by every user! This is good for auditing some systems.

I thought that a good idea is to pass to system wide bashrc a prompt command like:


PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")'

 

In debian you should edit the file: /etc/bash.bashrc and in centos the file: /etc/bashrc

If you want to start logging for the session you are in, you have to source the file you have edited, for example execute:


source /etc/bash.bashrc

 

in a debian system or


source /etc/bashrc

in a centos system.

From now on, every command, of every ssh session will be logged at /var/log/syslog on a debian system, and at /var/log/messages on a centos system.

In case you want to log them on a separate file and not mess up with other log files you can use:


PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p local6.info -t "$USER[$$] $SSH_CONNECTION")'

instead of the previous PROMPT_COMMAND example and then configure the rsyslogd as needed.

For example at a Debian System edit the **/etc/rsyslog.conf** file:
change the line :


*.*;auth,authpriv.none           -/var/log/syslog

to


*.*;auth,authpriv.none,local6           -/var/log/syslog

and add the following line to the end of the file:


local6.info                     /var/log/history.log

 

then execute:

touch /var/log/history.log && /etc/init.d/rsyslog restart

 

This article is from my own answer to unix.stackexchange.com:

http://unix.stackexchange.com/questions/139874/local-timestamped-logging-of-all-ssh-commands/145297#145297

My answer was downvoted by the owner of the question as out of topic, but I think is just a good practice when you want to audit a system, to log ssh sessions to the server or even better to a log server. So I publiced my own answer to my own blog.

3 thoughts on “Syslog: log all bash history from every user”

    1. snoopy is a very powerful tool – maybe too powerful (=verbose) – at the end of the day I might not really be interested in all the “exec’s being triggered” but that what was manually typed in by a logged in user – in this case the above solution suffices.

Leave a Reply

Your email address will not be published. Required fields are marked *

Prove me that you are not a robot :) * Time limit is exhausted. Please reload the CAPTCHA.