Logging bash history to syslog using traps

This is a handy way to log user’s bash histories to syslog without making any modifications to the bash source code itself. Simply drop the following snippet into either the per-user or system-wide bash profile (~/.bash_profile and /etc/profile, respectively)

function log2syslog
{
   declare COMMAND
   COMMAND=$(fc -ln -0)
   logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}"
}
trap log2syslog DEBUG

This won’t guarantee you log consistency in the event of a compromised host but you’ll certainly have and increased ability to correlate events on your systems.

[ad]

3 Responses to “Logging bash history to syslog using traps”

Timo Juhani Lindfors Says:
June 14th, 2010 at 4:36 am
If you just hit enter multiple times the log claims that you actually executed the command multiple times too. Any suggestions on how to improve this?

[Reply]
Paul Reiber Says:
November 5th, 2010 at 1:10 am
If you’re used to using ^Z, bg, fg, etc. you’ll find this cumbersome, as those stop working.

[Reply]
David Douthitt Says:
May 18th, 2011 at 2:57 pm
Job control should not be affected – at least, I don’t know why it would be. The function log2syslog doesn’t actually execute the command, but rather sends a copy of the last history output to syslog.

Where this would fail is if the DEBUG trap is ever skipped – or skippable. Also, if the trap can be changed by the user, then this function can be removed.

The ideal way is to modify the source code or to enable the log to syslog capabilities of Bash 4.1.

http://wiki.bash-hackers.org/bash4

[Reply]

Logging bash history to syslog using traps

3 Responses to “Logging bash history to syslog using traps”

Join the Conversation

About Me

Subscribe to Feed

Recent Posts

All Posts

Recent Twitter Noise

Blogroll