Syslog: log all bash history from every user

There are sometimes I wish I had kept all of my history actions within the last 3 days, or I wish I could supervise what an other user have done to a system, I tried to find a way to log all ssh sessions to the server, logging them to syslog and keeping any action performed by every user! This is good for auditing some systems.

I thought that a good idea is to pass to system wide bashrc a prompt command like:

PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")'


In debian you should edit the file: /etc/bash.bashrc and in centos the file: /etc/bashrc

If you want to start logging for the session you are in, you have to source the file you have edited, for example execute:

source /etc/bash.bashrc


in a debian system or

source /etc/bashrc

in a centos system.

From now on, every command, of every ssh session will be logged at /var/log/syslog on a debian system, and at /var/log/messages on a centos system.

In case you want to log them on a separate file and not mess up with other log files you can use:

PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p -t "$USER[$$] $SSH_CONNECTION")'

instead of the previous PROMPT_COMMAND example and then configure the rsyslogd as needed.

For example at a Debian System edit the **/etc/rsyslog.conf** file:
change the line :

*.*;auth,authpriv.none           -/var/log/syslog


*.*;auth,authpriv.none,local6           -/var/log/syslog

and add the following line to the end of the file:                     /var/log/history.log


then execute:

touch /var/log/history.log && /etc/init.d/rsyslog restart


This article is from my own answer to

My answer was downvoted by the owner of the question as out of topic, but I think is just a good practice when you want to audit a system, to log ssh sessions to the server or even better to a log server. So I publiced my own answer to my own blog.

3 thoughts on “Syslog: log all bash history from every user”

    1. snoopy is a very powerful tool – maybe too powerful (=verbose) – at the end of the day I might not really be interested in all the “exec’s being triggered” but that what was manually typed in by a logged in user – in this case the above solution suffices.

Leave a Reply

Your email address will not be published. Required fields are marked *

Prove me that you are not a robot :) * Time limit is exhausted. Please reload the CAPTCHA.