Keep logs of user after sudo su – : Secondary Logging
When we do sudo su – or su – and user become root we mostly found that in log it is not easy to track which command is used by which user.
In other words,we can save the commands hit by user even after it become root after doing sudo su – or su – .
Below is the How To steps:
In this login into the Server as Root.
Step 1: Create directory called users_historylogs in /var/log/
mkdir -p /var/log/users_historylogs
Step 2: Paste the given below contents in /root/.bashrc
export HISTSIZE=10000
export HISTTIMEFORMAT="%F %T "
export HISTFILE=/var/log/users_historylogs/root_history-$(who am i | awk '{print $1}';exit)
export PROMPT_COMMAND='history -a'
Step 3: after saving the file.Hit the below given command.
source /root/.bashrc
Now you can check. Logout and login and change to directory /var/log/users_historylogs .
You will find the logs and open it. U must have history of commands in this logs.
simple solution! Good work…. I recommend to learn the account auditing features of your systems with the psacct or acct programs? Or turn on pam_tty_audit.so and capture every keystroke. Cheers
This is great! Thank you for sharing.
Would you or anybody here have instructions on how to add this custom log into syslog and ship to a central logging server?
I was thinking it would be as simple as adding 1 line to my /etc/rsyslog.conf
“`
/var/log/users_historylogs/* @@syslog-central.my.com
“`
that didn’t work out for me.
TYIA for your comments
Great !! Thanks.. that is what I needed. One question, in the new LOG File, is there a way to show the date-time?
Now it shows like this:
cat /var/log/users_historylogs/root_history-sergio
#1464536018
cat /var/log/users_historylogs/root_history-sergio
#1464536031
nano /root/.bashrc
#1464536093
nano /root/.bashrc
#1464536100
source /root/.bashrc
#1464536102
ls -lh
Hello Sergio,
Seems the log is saving date/time as epoch way. I have seen this in some of our server but my bad this lazy fellow not work to make it human readable.
Try to convert epoch time by using below given command, consider as example also –
sharad@linuxworld:~$ date --date @1464536102Sun May 29 21:05:02 IST 2016
sharad@linuxworld:~$
Hope it will work for you.
Regards
Sharad
Thanks a lot, its useful solution.
Hello,
Your solution is pretty useful but I still have a problem: that doesn’t work into a TMUX session 🙁
Challenge accepted? 🙂
This is great, it’s what I was looking for… I had one question though
Is there a way to display to date format year-month-day time? Currently with the above commands it displays as #1392323966?
I am using centos 6.5
Thanx
Fritz,
Thanks for appreciation.I really forget what these number is. It logs when you use history -a command.
Alternatively , you can use this line
export PATHexport HISTSIZE=10000
export HISTTIMEFORMAT="%F %T "
export HISTFILE=/var/log/users_historylogs/root_history-$(who am i | awk '{print $1}';exit)-`date +%F`
export PROMPT_COMMAND='history -a;date >> $HISTFILE'
The date of execution will be appended in history log file.I hope it will work for you
Apologise, I really forgot to write about what these number is. Even not able to recall what is it
You can match the date and time by analyzing date in log file and
history 10command (it will show last 10 history command run)