I have a CentOS 6.6 and I want to configure rsyslog to log in /var/log/secure every command inserted by root or normal user.
Asked
Active
Viewed 4,278 times
1 Answers
0
Try this without rsyslog configuration
Snoopy is a tiny library that logs all executed commands (+ arguments) on your system.
These are default output locations on CentOS: /var/log/secure
This is what typical Snoopy output looks like:
2015-02-11T19:05:10+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/cat]: cat /etc/fstab.BAK
2015-02-11T19:05:15+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/rm]: rm -f /etc/fstab.BAK
2015-02-11T19:05:19+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/tail]: tail -f /var/log/messages
with rsyslog config
For BASH shells, edit the system-wide BASH runtime config file:
sudo -e /etc/bash.bashrc
Append to the end of that file:
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
Set up logging for "local6" with a new file:
sudo -e /etc/rsyslog.d/bash.conf
And the contents...
local6.* /var/log/secure
Restart rsyslog:
sudo service rsyslog restart
https://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server
