Keep logs of user after sudo su – : Secondary Logging

by

When we do sudo su – or su – and user become root we mostly found that in log it is not easy to track which command is used by which user.

In this post, we will setup the secondary logging to Keep logs of root user after sudo access. You can also setup the same configuration on non root user also.

In other words,we can save the commands hit by user even after it become root after doing sudo su – or su – .

How To Setup Secondary Logging For Sudo Activity

In this login into the Server as Root.

Step 1: Create Directory

Create directory called users_historylogs in /var/log/

mkdir -p /var/log/users_historylogs

Step 2: Configure History

Paste the given below contents in /root/.bashrc

export HISTSIZE=10000
export HISTTIMEFORMAT="%F %T "
export HISTFILE=/var/log/users_historylogs/root_history-$(who am i | awk '{print $1}';exit)
export PROMPT_COMMAND='history -a'

Step 3: Initialize .bashrc

After saving the file. Hit the below given command.

source /root/.bashrc

Now you can check. Do logout and login and change  to directory /var/log/users_historylogs .

You will find the logs and open it. You must have history of commands in this logs.

In next part , we have written the Secondary Logging For All Users

Related posts:

  1. Secondary Logging : Save All Users History Command Output As Log
  2. how to mount NAS storage in owncloud to keep all users data
  3. sudo command not found Debian 7
  4. Redirect sudo output to file
  5. How to enable logging of haproxy in rsyslog
  6. How to read logs which are writing continuously : LINUX/UNIX
  7. Install and configure rsyslog Centralized logging server in CentOS 6.5
  8. How to enable logging in Postgresql 9.2 and 9.1
  9. postgres database backup script using database user password inside
  10. Password prompt in single user mode is not secure : CentOS/Red Hat

15 thoughts on “Keep logs of user after sudo su – : Secondary Logging”

  1. my requirement is to get all commands run on the system with date and time.Lets say A user logged into system and then switched to B ..commands run by both users in that session should be logged in a single file. This is not happening as of now.Also would like to get different lof files if a user opens multiple session then runs seperate commands.

    M using RHEL6

    Reply

    • Hi Ruhi,

      If A User switch to B User then Computer understand it as 2 different users. Hence, the 2 different logs for each computer user will be logged.
      For Date and Time, work on this line HISTTIMEFORMAT="%F %T ". You can set the date time format according to you.It is similar to Date Command options available.

      Regards
      Sharad

      Reply

    • Hi Ruhi,

      Yes, it actually keeps the command history of user who login to the shell. Will you help me to understand your exact problem and what you are trying to achieve? I also want to know in which Operating System you are trying this solution.

      Regards
      Sharad

      Reply

  4. Hi Sharad,

    will this work on TCSH shell ?

    am unable to run as $HISTFILE variable is not in tcsh shell please help me to setup the same in tcsh shell.

    Thanks

    Reply

  5. simple solution! Good work…. I recommend to learn the account auditing features of your systems with the psacct or acct programs? Or turn on pam_tty_audit.so and capture every keystroke. Cheers

    Reply

  6. This is great! Thank you for sharing.

    Would you or anybody here have instructions on how to add this custom log into syslog and ship to a central logging server?

    I was thinking it would be as simple as adding 1 line to my /etc/rsyslog.conf
    “`
    /var/log/users_historylogs/* @@syslog-central.my.com
    “`

    that didn’t work out for me.
    TYIA for your comments

    Reply

  7. Great !! Thanks.. that is what I needed. One question, in the new LOG File, is there a way to show the date-time?
    Now it shows like this:

    cat /var/log/users_historylogs/root_history-sergio
    #1464536018
    cat /var/log/users_historylogs/root_history-sergio
    #1464536031
    nano /root/.bashrc
    #1464536093
    nano /root/.bashrc
    #1464536100
    source /root/.bashrc
    #1464536102
    ls -lh

    Reply

    • Hello Sergio,

      Seems the log is saving date/time as epoch way. I have seen this in some of our server but my bad this lazy fellow not work to make it human readable.
      Try to convert epoch time by using below given command, consider as example also –

      sharad@linuxworld:~$ date --date @1464536102
      Sun May 29 21:05:02 IST 2016
      sharad@linuxworld:~$

      Hope it will work for you.

      Regards
      Sharad

      Reply

  9. Hello,

    Your solution is pretty useful but I still have a problem: that doesn’t work into a TMUX session 🙁

    Challenge accepted? 🙂

    Reply

  10. This is great, it’s what I was looking for… I had one question though

    Is there a way to display to date format year-month-day time? Currently with the above commands it displays as #1392323966?

    I am using centos 6.5

    Thanx

    Reply

    • Fritz,

      Thanks for appreciation.I really forget what these number is. It logs when you use history -a command.
      Alternatively , you can use this line

      export PATH
      export HISTSIZE=10000
      export HISTTIMEFORMAT="%F %T "
      export HISTFILE=/var/log/users_historylogs/root_history-$(who am i | awk '{print $1}';exit)-`date +%F`
      export PROMPT_COMMAND='history -a;date >> $HISTFILE'

      The date of execution will be appended in history log file.I hope it will work for you
      Apologise, I really forgot to write about what these number is. Even not able to recall what is it

      You can match the date and time by analyzing date in log file and history 10 command (it will show last 10 history command run)

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.