How To Log Your Bash History With Syslog

Tags: , , , , , , ,


Prior to Bash 4.1 logging to syslog required either 3rd party patches, wrappers or clever hacks to glean command history information and send it to syslog. Until bash 4.1 becomes available for the majority of distributions these workaround and hacks are still useful to some who wish to obtain syslog functionality without altering, upgrading and maintaining bash manually.

Trap Method

Drop the following snippet into either the per-user or system-wide bash profile (~/.bash_profile or /etc/profile, respectively)

function log2syslog
{
   declare COMMAND
   COMMAND=$(fc -ln -0)
   logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}"
}
trap log2syslog DEBUG

Read more about the trap method here

Prompt Method

This method logs by hacking the prompt command to call history and write to syslog.

PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")'

You can read more about the prompt method here

Upgrade or Patch Bash

Bash version 4.1 support syslog natively, so if it’s available in your distribution, or you’re willing to hand compile this is likely your best bet.

bash-syslog patches are available to bring syslog features into bash 3.x

11 Responses to “How To Log Your Bash History With Syslog”

  1. Timo Juhani Lindfors Says:

    If you just hit enter multiple times the log claims that you actually executed the command multiple times too. Any suggestions on how to improve this?

    [Reply]

  2. Paul Reiber Says:

    If you’re used to using ^Z, bg, fg, etc. you’ll find this cumbersome, as those stop working.

    [Reply]

  3. David Douthitt Says:

    Job control should not be affected – at least, I don’t know why it would be. The function log2syslog doesn’t actually execute the command, but rather sends a copy of the last history output to syslog.

    Where this would fail is if the DEBUG trap is ever skipped – or skippable. Also, if the trap can be changed by the user, then this function can be removed.

    The ideal way is to modify the source code or to enable the log to syslog capabilities of Bash 4.1.

    http://wiki.bash-hackers.org/bash4

    [Reply]

  4. Monitor user activities on linux | vinh_nguyen Says:

    […] http://backdrift.org/logging-bash-history-to-syslog-using-traps […]

  5. mr_white Says:

    I have a small issue with the “PROMPT_COMMAND” method. Everything works fine until I login to another account using “su – user”. After that, the combination of “ctrl+c” causes logging out of this account (returning to the previous one).

    Take a look at this example:

    (root@server ~)# su – user01
    (user01@server ~)$ PROMPT_COMMAND=’history -a >(tee -a ~/.bash_history | logger -t “$USER[$$] $SSH_CONNECTION”)’
    (user01@server ~)$ echo $PROMPT_COMMAND
    history -a >(tee -a ~/.bash_history | logger -t “$USER[$$] $SSH_CONNECTION”)
    (user01@server ~)$ ^C
    (user01@server ~)$ logout
    (root@server ~)#

    Do you have similar problem?

    [Reply]

    Paul Pasika Reply:

    I do have that problem with CentOS. It doesn’t happen on Debian! No one seems to have solved the problem when I google for it.

    [Reply]

    Paul Pasika Reply:

    I found the solution. You should use tee -ia so a Control-C isn’t going to log you out.

    man tee
    […]
    -i, –ignore-interrupts
    ignore interrupt signals

    […]

    [Reply]

  6. How-to: Log all commands run by admins on production servers #answer #it #programming | SevenNet Says:

    […] Credit to – http://backdrift.org/logging-bash-history-to-syslog-using-traps […]

  7. Solution: Log all commands run by admins on production servers #dev #answer #solution | Good Answer Says:

    […] Credit to – http://backdrift.org/logging-bash-history-to-syslog-using-traps […]

  8. Fix: Log all commands run by admins on production servers #answer #it #computers | IT Info Says:

    […] Credit to – http://backdrift.org/logging-bash-history-to-syslog-using-traps […]

  9. Mody Says:

    Free Plan We sell Google most trusted Plans. Our Plans are numebr one ranked in Google and you can not go wrong. All our plans are free and you get the most benefit out of our free options. If you have any questions please call our Free numebr .

    [Reply]

Join the Conversation