How To Log Your Bash History With Syslog
Tags: bash, linux, log, logging, logs, sysadmin, syslog, syslog-ng
Prior to Bash 4.1 logging to syslog required either 3rd party patches, wrappers or clever hacks to glean command history information and send it to syslog. Until bash 4.1 becomes available for the majority of distributions these workaround and hacks are still useful to some who wish to obtain syslog functionality without altering, upgrading and maintaining bash manually.
Trap Method
Drop the following snippet into either the per-user or system-wide bash profile (~/.bash_profile or /etc/profile, respectively)
function log2syslog { declare COMMAND COMMAND=$(fc -ln -0) logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}" } trap log2syslog DEBUG |
Read more about the trap method here
Prompt Method
This method logs by hacking the prompt command to call history and write to syslog.
PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")' |
You can read more about the prompt method here
Upgrade or Patch Bash
Bash version 4.1 support syslog natively, so if it’s available in your distribution, or you’re willing to hand compile this is likely your best bet.
bash-syslog patches are available to bring syslog features into bash 3.x
June 14th, 2010 at 4:36 am
If you just hit enter multiple times the log claims that you actually executed the command multiple times too. Any suggestions on how to improve this?
[Reply]
November 5th, 2010 at 1:10 am
If you’re used to using ^Z, bg, fg, etc. you’ll find this cumbersome, as those stop working.
[Reply]
May 18th, 2011 at 2:57 pm
Job control should not be affected – at least, I don’t know why it would be. The function log2syslog doesn’t actually execute the command, but rather sends a copy of the last history output to syslog.
Where this would fail is if the DEBUG trap is ever skipped – or skippable. Also, if the trap can be changed by the user, then this function can be removed.
The ideal way is to modify the source code or to enable the log to syslog capabilities of Bash 4.1.
http://wiki.bash-hackers.org/bash4
[Reply]
December 13th, 2012 at 10:50 pm
[…] http://backdrift.org/logging-bash-history-to-syslog-using-traps […]
June 17th, 2013 at 4:28 am
I have a small issue with the “PROMPT_COMMAND” method. Everything works fine until I login to another account using “su – user”. After that, the combination of “ctrl+c” causes logging out of this account (returning to the previous one).
Take a look at this example:
(root@server ~)# su – user01
(user01@server ~)$ PROMPT_COMMAND=’history -a >(tee -a ~/.bash_history | logger -t “$USER[$$] $SSH_CONNECTION”)’
(user01@server ~)$ echo $PROMPT_COMMAND
history -a >(tee -a ~/.bash_history | logger -t “$USER[$$] $SSH_CONNECTION”)
(user01@server ~)$ ^C
(user01@server ~)$ logout
(root@server ~)#
Do you have similar problem?
[Reply]
Paul Pasika Reply:
October 13th, 2016 at 4:54 pm
I do have that problem with CentOS. It doesn’t happen on Debian! No one seems to have solved the problem when I google for it.
[Reply]
Paul Pasika Reply:
December 28th, 2016 at 2:16 pm
I found the solution. You should use tee -ia so a Control-C isn’t going to log you out.
man tee
[…]
-i, –ignore-interrupts
ignore interrupt signals
[…]
[Reply]
January 11th, 2015 at 8:30 pm
[…] Credit to – http://backdrift.org/logging-bash-history-to-syslog-using-traps […]
January 13th, 2015 at 8:22 am
[…] Credit to – http://backdrift.org/logging-bash-history-to-syslog-using-traps […]
February 1st, 2015 at 2:18 am
[…] Credit to – http://backdrift.org/logging-bash-history-to-syslog-using-traps […]
September 25th, 2015 at 5:30 am
Free Plan We sell Google most trusted Plans. Our Plans are numebr one ranked in Google and you can not go wrong. All our plans are free and you get the most benefit out of our free options. If you have any questions please call our Free numebr .
[Reply]