How to log all Bash commands by all users on a server?
Solution 1
For BASH shells, edit the system-wide BASH runtime config file:
sudo -e /etc/bash.bashrc
Append to the end of that file:
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
Set up logging for "local6" with a new file:
sudo -e /etc/rsyslog.d/bash.conf
And the contents...
local6.* /var/log/commands.log
Restart rsyslog:
sudo service rsyslog restart
Log out. Log in. Voila!
But I forgot about log rotation:
sudo -e /etc/logrotate.d/rsyslog
There is a list of log files to rotate the same way...
/var/log/mail.warn
/var/log/mail.err
[...]
/var/log/message
So add the new bash-commands log file in that list:
/var/log/commands.log
Save.
Solution 2
You could use snoopy.
Snoopy logger may suit your purpose well. It is not intended to be unavoidable logging solution, but rather a helpful tool for diligent admins who prefer to keep track of their own actions.
Disclosure: I am snoopy maintainer.
Solution 3
A process accounting system may be helpful in this regard, particularly the acct package that provides the lastcomm and ac commands.
The ac commands prints out statistics about users' connection time, in hours. This is the amount of time that the user has been connected to the system, either remotely via SSH or a serial terminal, or while on the console.
The lastcomm command displays information about the previously executed commands. The most recent entries are given at the top of the list. Also displayed is the total amount of CPU time that each process used.
An old tutorial that may be helpful is here:
http://www.linuxjournal.com/article/6144?page=0,1
Other accounting commands like last and so on can be found in this tutorial:
http://www.techrepublic.com/article/system-accounting-in-linux/1053377
Related videos on Youtube
03 : 42
07 : 52
09 : 56
03 : 23
27 : 37
Tony Graham
Updated on September 18, 2022Comments
-
Tony Graham over 1 year
Our small company runs an Ubuntu Server 11.10, to which a couple of people have SSH access. The actual terminals are sometimes used, too. How can we locally log all Bash commands run, along with user and time stamp?
We can assume that no-one is nefarious and actively trying to avoid the logging, but we'd still prefer the users not to have direct write-access to their log files. Simultaneous sessions must be handled correctly.
-
big-marc over 12 yearsForgot about log rotation which I added to the answer.
-
yop83 over 10 yearsI believe this can be easily deactivated by the user by simply resetting or unsetting
PROMPT_COMMANDor exec-ing to a non-bash shell. -
Benubird about 10 yearsIs there anything special aboutlocal6? What does it refer to? -
kopikaokao almost 10 years@Benubird it looks like there's a few preset facility levels, 8 of them being local0-local7: en.wikipedia.org/wiki/Syslog . 0 means emergency, 7 means debug, and 6 is just shy of 7, "normal operational messages." -
muru over 9 yearsPlease provide instructions on installing and using it in the answer. -
Bostjan Skufca Jese over 9 yearsDetailed installation instructions are available on the snoopy github page, which is the main snoopy resource right now: github.com/a2o/snoopy. I am agains providing installation instructions in other places as primary location is maintained by design and others are not. BTW Readme was just updated to be more structured.
-
muru over 9 yearsMaybe so. But without even a summary of the steps needed to use this, this is a link-only answer and likely to be deleted.
-
Bostjan Skufca Jese over 9 yearsWell, I provided a pointer to an alternative and viable solution. If that is not what this site is all about, then by all means it should get deleted, together with my account.
-
Bostjan Skufca Jese over 9 years@karel : Yes, make enable writes to /etc/ld.so.preload. Root privileges are essential.
-
karel over 9 yearsThank you. The installation procedure is clear to me now. For any others who may have any general questions about the installation procedure, please read this answer. -
Bostjan Skufca Jese over 9 years@karel Do feel free to contribute detailed Ubuntu-specific installation instructions in contrib/ubuntu/README... I will gladly merge it and make a pointer to in in main README.md.
-
muru over 9 years@BostjanSkufca no need to be offended. It's just a Stack Exchange thing to have at least reasonably self-contained answers. If you're so strongly opposed to adding steps, that's your wish. My downvote remains. Someone will probably upvote it.
-
Bostjan Skufca Jese over 9 yearsNot offended. I understand now (about self-contained answers).
-
Phil_1984_ over 7 yearslastcomm is pretty pointless as a command logger. It only records the executable that was run. No arguments, switches or paths are logged.
-
yukashima huksay over 6 yearswhat does rotate mean!? -
karmendra over 5 yearsI am unable to log commands running in scripts, using this method.
-
Badr Elmers almost 5 years@yukashima because logs can become big files if not deleted, rotating means to rotate the log files and delet the older ones to keep logs smaller...
