When we do sudo su – or su – and user become root we mostly found that in log it is not easy to track which command is used by which user.
In this post, we will setup the secondary logging to Keep logs of root user after sudo access. You can also setup the same configuration on non root user also.
In other words,we can save the commands hit by user even after it become root after doing sudo su – or su – .
How To Setup Secondary Logging For Sudo Activity
In this login into the Server as Root.
Step 1: Create Directory
Create directory called users_historylogs in /var/log/
mkdir -p /var/log/users_historylogs
Step 2: Configure History
Paste the given below contents in /root/.bashrc
export HISTSIZE=10000
export HISTTIMEFORMAT="%F %T "
export HISTFILE=/var/log/users_historylogs/root_history-$(who am i | awk '{print $1}';exit)
export PROMPT_COMMAND='history -a'
Step 3: Initialize .bashrc
After saving the file. Hit the below given command.
source /root/.bashrc
Now you can check. Do logout and login and change to directory /var/log/users_historylogs .
You will find the logs and open it. You must have history of commands in this logs.
In next part , we have written the Secondary Logging For All Users
my requirement is to get all commands run on the system with date and time.Lets say A user logged into system and then switched to B ..commands run by both users in that session should be logged in a single file. This is not happening as of now.Also would like to get different lof files if a user opens multiple session then runs seperate commands.
M using RHEL6
Hi Ruhi,
If A User switch to B User then Computer understand it as 2 different users. Hence, the 2 different logs for each computer user will be logged.
For Date and Time, work on this line
HISTTIMEFORMAT="%F %T ". You can set the date time format according to you.It is similar to Date Command options available.Regards
Sharad
I want to get the commands run by each user using sudo/su/su -/powerbroker with date and time details.
Hi Ruhi,
Check this post once “Secondary Logging : save all users history command output as log”
Regards
Sharad
It actually logs the command history when you come out from the session in reverse order.any solution for this
Hi Ruhi,
Yes, it actually keeps the command history of user who login to the shell. Will you help me to understand your exact problem and what you are trying to achieve? I also want to know in which Operating System you are trying this solution.
Regards
Sharad
Hi Sharad,
will this work on TCSH shell ?
am unable to run as $HISTFILE variable is not in tcsh shell please help me to setup the same in tcsh shell.
Thanks
simple solution! Good work…. I recommend to learn the account auditing features of your systems with the psacct or acct programs? Or turn on pam_tty_audit.so and capture every keystroke. Cheers
This is great! Thank you for sharing.
Would you or anybody here have instructions on how to add this custom log into syslog and ship to a central logging server?
I was thinking it would be as simple as adding 1 line to my /etc/rsyslog.conf
“`
/var/log/users_historylogs/* @@syslog-central.my.com
“`
that didn’t work out for me.
TYIA for your comments
Great !! Thanks.. that is what I needed. One question, in the new LOG File, is there a way to show the date-time?
Now it shows like this:
cat /var/log/users_historylogs/root_history-sergio
#1464536018
cat /var/log/users_historylogs/root_history-sergio
#1464536031
nano /root/.bashrc
#1464536093
nano /root/.bashrc
#1464536100
source /root/.bashrc
#1464536102
ls -lh
Hello Sergio,
Seems the log is saving date/time as epoch way. I have seen this in some of our server but my bad this lazy fellow not work to make it human readable.
Try to convert epoch time by using below given command, consider as example also –
sharad@linuxworld:~$ date --date @1464536102Sun May 29 21:05:02 IST 2016
sharad@linuxworld:~$
Hope it will work for you.
Regards
Sharad
Thanks a lot, its useful solution.
Hello,
Your solution is pretty useful but I still have a problem: that doesn’t work into a TMUX session 🙁
Challenge accepted? 🙂
This is great, it’s what I was looking for… I had one question though
Is there a way to display to date format year-month-day time? Currently with the above commands it displays as #1392323966?
I am using centos 6.5
Thanx
Fritz,
Thanks for appreciation.I really forget what these number is. It logs when you use history -a command.
Alternatively , you can use this line
export PATHexport HISTSIZE=10000
export HISTTIMEFORMAT="%F %T "
export HISTFILE=/var/log/users_historylogs/root_history-$(who am i | awk '{print $1}';exit)-`date +%F`
export PROMPT_COMMAND='history -a;date >> $HISTFILE'
The date of execution will be appended in history log file.I hope it will work for you
Apologise, I really forgot to write about what these number is. Even not able to recall what is it
You can match the date and time by analyzing date in log file and
history 10command (it will show last 10 history command run)