• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
sharadchhetri

sharadchhetri

Tutorials On Linux, Unix & Open Source

  • Home
  • Linux Commands
  • Resources
    • Learn Linux
  • My WordPress plugins

Secondary Logging : Save All Users History Command Output As Log

June 26, 2015 by Sharad Chhetri

The secondary logging will help you to save history command output as log. In this practical, we will set the secondary logging for all users including root. Secondary logging will help you in audit by this way you can find out on which date and time users hit the command.

It has been long time, I reworked on secondary logging method. And this time, I am sharing secondary logging method with two scenarios. Read our post on secondary logging , written a few years ago.

Practical Performed And Tested

In given below Operating System the setup was configured and tested.

Operating System : Linux ( RHEL , CentOS , Debian , Ubuntu , Linux Mint)
Arch : x86 and x86_64

Pros And Cons Of Using Secondary Logging

Pros:

1. We can save the history commands output of all users in system . For example in /var/log .
2. Even the user become super user by using command sudo su - or su - , secondary logging will save these users history command as logs.
3. When user become super user and as super user whatever it uses the commands, it will be logged too.
4. No package installation required.
5. Even if user try to remove secondary logging logs, it will be logged also.
6. You can use your own ideas and make it more innovative. Understanding of bash is required.
7. You can also save the secondary logging logs in remote location via rsyslog server , s3 bucket etc.

Cons:

The secondary logging do not save the history command logs in runtime. When user exit from terminal or get disconnected then only it save its log.

Setup Secondary Logging

1. Setting secondary logging for super user and root.
2. Setting secondary logging for other user except root/superuser.

Setup secondary logging for root and super user

The settings are quite simple and it will log the super user or root history command output as log. Here , we have advantage that when a user switch to super user and do the activity as root , the log will save its secondary log and it will also show which user become super user and log file name belongs to that user.

Let’s start setting secondary log for root and super user.

1. Create directory to save logs of secondary logging.

mkdir -p /var/log/sudo_historylogs/

2. Edit /root/.bashrc

vi /root/.bashrc

And paste below given content in /root/.bashrc.

export HISTSIZE=10000
export HISTTIMEFORMAT='%F %T '
export HISTFILE=/var/log/sudo_historylogs/history-sudo-$(who am i | awk '{print $1}';exit)-$(date +%F)
export PROMPT_COMMAND='history -a'

3. Activate the settings .

source /root/.bashrc

That’s it. Now it will start logging . For test, login with user and become super user. run some command and exit. Check the new log file get created inside /var/log/sudo_historylogs . Just open the newly created log file and you will see commands hit by user is written over there.

Setup secondary logging for other users except root

The logic is same as described above only one change is there. We will create new log directory for other users who are not super user or root. As well as , we are not logging for root user.

Follow the given below steps.

1. Create directory for logging other users.

mkdir -p /var/log/users_historylogs/

And set the sticky bit on /var/log/users_historylogs/

chmod +t  /var/log/users_historylogs/ 

3. Create a new script inside /etc/profile.d/

vi /etc/profile.d/history_log.sh

And paste the below content in /etc/profile.d/history_log.sh file, save and exit.

_who_am_i=$(who am i|awk '{print $1}')
_ID=$(id -u $_who_am_i)
 
if [ "$_ID" > 0 ]
then
export HISTSIZE=10000
export HISTTIMEFORMAT='%F %T '
export HISTFILE=/var/log/users_historylogs/history-users-$(who am i | awk '{print $1}';exit)-$(date +%F)
export PROMPT_COMMAND='history -a'
fi

Set the permission.

chmod 770 /etc/profile.d/history_log.sh

3. Activate the script

source /etc/profile.d/history_log.sh

Now we have completed the settings for both secnarios i.e for super users and other users.

To test the secondary logging, login with any user other than root. Hit some commands and exit.
Login back with root user and check /var/log/users_historylogs/ directory . You will find some new log files are generated. Open the file and read it, you will find the history of commands used by your last login user.

Share this:

  • Twitter
  • Facebook
  • More
  • Print
  • Email
  • LinkedIn
  • Reddit
  • Tumblr
  • Pinterest
  • Pocket
  • Telegram
  • WhatsApp
  • Mastodon

Related posts:

  1. Saving every command and its output in log in Unix
  2. Keep logs of user after sudo su – : Secondary Logging
  3. Linux Tac Command : Reverse Of cat Command Output
  4. how to remove history from Dash Home in Ubuntu
  5. Find mysql commands history without mysql server login
  6. Save iptables permanently on Ubuntu
  7. script to change group from a file having list of users
  8. how to mount NAS storage in owncloud to keep all users data
  9. How to list users above or below particular user id
  10. See mysql command output vertically

Filed Under: Linux Tagged With: secondary logging

Reader Interactions

Comments

  1. Ashok says

    September 15, 2021 at 11:56 pm

    Hi Sharad,

    Could you please let me know if this process would work for AIX servers since /etc/profile.d doesn’t exist on AIX OS? Secondary logging for root will work if we put the contents in /etc/profile but I’m not sure how secondary logging would work for non-root users on AIX servers.

    Thank you.

    • Sharad Chhetri says

      December 16, 2021 at 2:49 am

      HI Ashok,

      Currently I do not have AIX systems but I still remember this was implemented in AIX servers too.

      Regards
      Sharad

  2. vivek says

    September 11, 2019 at 9:14 am

    Hi Sharad your article is amazing could you please give me suggestion

    I want to show which user turns to root in history command or in logs as your article is doing, As we have multiple users which turn to root using sudo sudo -i and we are not able to track which users turns root and runs command when multiple users turn root at the same time

    Could you please help in suggesting a solution

    • Sharad Chhetri says

      October 7, 2019 at 2:02 pm

      Hi Vivek,

      1. The Secondary logging settings should be applied for all users including root.
      2. In log directory, it will create logs for all users.

      When user switch to user root , it will run su command for it. This will be tracked in user’s log.
      Hope, it will help.

      Regards
      Sharad

  3. Anand says

    December 24, 2018 at 12:44 pm

    Hey, thanks for the article. This is useful. But do you have any way to make sure once the user sudos as root, there is no way he can delete/modify the history log files?

    • Sharad Chhetri says

      December 25, 2018 at 7:44 am

      Hi Anand,

      Generally we can set permission on file but root can do all in system. For keeping best practice, you can setup remote log server(eg. rsyslog) to keep the backup of logs in sync.
      Apart of it, when user try to remove/modify the log that action will also be logged.

      Regards
      Sharad

  4. Gaurav says

    November 27, 2018 at 11:47 am

    Hi Sharad

    When tried secondary logging for users, we added the script in vi /etc/profile.d/history_log.sh and when tried to login with other user and execute the command this doesn’t show or save in /var/log/users_historylogs/ only ubuntu user details present rest all users details not getting saved.

    • Sharad Chhetri says

      November 27, 2018 at 3:48 pm

      Hi Gaurav,

      The root and non-root user should be setup separately.
      If you can tell me your Operating System and its version, I will try to reproduce the issue and check again.

      Also note that if you are trying with other user, the user should have hit some command after this implementation then only it will log.

      Regards
      Sharad

      • Gaurav Khandelwal says

        November 30, 2018 at 4:55 am

        Hi Sharad

        The OS is ubuntu 16.04 LTS, When enabled secondary logging for users as mentioned and when tried logging in and execute commands, we see only su – xxxx is getting captured but not the commands executed from secondary user in /var/log/users_historylogs/ . Please check this and advise if this works for you .

        • Sharad Chhetri says

          November 30, 2018 at 6:07 pm

          Hi Gaurav,

          I found the problem area. It is actually with PROMPT_COMMAND . When user is login and becoming super user onsudo su, the PROMPT_COMMAND is not working on Ubuntu. Probably it happened after change in bash versions. I am checking if any workaround on this in Ubuntu OS.

          Regards
          Sharad

          • Sharad Chhetri says

            November 30, 2018 at 6:45 pm

            Hi Gaurav,

            Try this in your Ubuntu system. Instead of creating shell script in /etc/profile.d update /etc/bash.bashrc .
            In /etc/bash.bashrc add these new line .

            root@ubuntu:/home/sharad# cat /etc/bash.bashrc |tail -20
            
            
            _who_am_i=$(who am i|awk '{print $1}')
            _ID=$(id -u $_who_am_i)
             
            if [ "$_ID" -gt 0 ]
            then
            export HISTSIZE=10000
            export HISTTIMEFORMAT='%F %T '
            export HISTFILE=/var/log/users_historylogs/history-users-$(who am i | awk '{print $1}';exit)-$(date +%F)
            export PROMPT_COMMAND='history -a;date >> $HISTFILE'
            fi
            
            if [ "$_ID" == 0 ]
            then
            export HISTSIZE=10000
            export HISTTIMEFORMAT='%F %T '
            export HISTFILE=/var/log/sudo_historylogs/history-sudo-$(who am i | awk '{print $1}';exit)-$(date +%F)
            export PROMPT_COMMAND='history -a'
            fi
            

            Also change the permission to 777 of /var/log/sudo_historylogs/ and /var/log/users_historylogs .

            Check once and let me know.

            Remember that the non-root user when it changes to login by using sudo su command , at that time history will be saved in log.

            Regards
            Sharad

  5. Rajesh Maurya says

    August 24, 2018 at 8:17 am

    Setup secondary logging for other users except root is not working for other user

    • Sharad Chhetri says

      August 25, 2018 at 2:37 pm

      Hi Rajesh,

      Make a in file in /etc/profile.d/. It will apply to all.

      Regards
      Sharad

  6. deepak pandiyan says

    August 22, 2016 at 11:28 am

    I have configured my server /etc/bashrc with these settings to capture sudo secondary logging
    export HISTSIZE=10000
    export HISTTIMEFORMAT=”%F %T ”
    export HISTFILE=/var/log/bashhist/root_history-$(who am i | awk ‘{print $1}’;exit)
    export PROMPT_COMMAND=’history -a’

    output
    In output am getting some random numbers instead date and timestamp
    #1471863084
    echo all is well
    #1471863110
    tail /var/log/bashhist/root_history-deepakp1
    #1471863124
    vim /etc/bashrc

    • Sharad Chhetri says

      August 24, 2016 at 3:35 pm

      Hello Deepak,

      The date time is printed in epoch format. Given below is example to convert epoch format to human readable.

      sharad@linuxworld:~$ date -d "@1471863124"
      Mon Aug 22 16:22:04 IST 2016
      sharad@linuxworld:~$
      

      Regards
      Sharad

      • deepak says

        August 29, 2016 at 6:09 am

        Thanks Buddy !!!!!!!!!! Much appreciated. I have lot of lines to verified can we have any commands to verify or convert to whole into human readable

Primary Sidebar

Our Social Media Presence

  • Facebook
  • GitHub
  • Twitter

Linux Command

What is Linux Internal And External Command

Linux Basic Commands With Examples For Every Beginner

tr command to convert lines to space , tab and vertical tab

smbpasswd command not found on CentOS 7 and RHEL 7

Solution : semanage command not found

Unix / Linux : How to print duplicate lines from file

More Posts from this Category

You Might Like These Articles!

simplecodesyntax wordpress plugin

SimpleCodeSyntax : My Another WordPress Plugin

Install Nginx

How To Install Nginx On Ubuntu 22.04 LTS

Install Latest Git package in Ubuntu Operating System

How To Always Install Latest Git Package In Ubuntu Operating System

Bash script for installing VirtualBox on Ubuntu 22.04 LTS Desktop

Install VirtualBox On Ubuntu 22.04 LTS Desktop (Bash Script)

libfuse

dlopen(): error loading libfuse.so.2 – Got Error On Ubuntu

Failed to open/create the internal network

VirtualBox Error: Failed to open/create the internal network

Always Useful Tips And Tricks

Keep logs of user after sudo su – : Secondary Logging

Change default editor of crontab in Ubuntu

Password prompt in single user mode is not secure : CentOS/Red Hat

shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

How to use grep command to get fixed pattern or exact keyword

Forward all incoming emails to other SMTP server or gateway

Yum Error database disk image is malformed

Explore 90+ Article On "Linux Tips And Tricks"

Copyright © 2023 ยท
The material in this site cannot be republished either online or offline, without our permission.
Proudly Blogging From Bharat.

  • Contact
  • About Me
  • My WordPress plugins
  • Privacy Policy