Skip to content

Commit 4a9e3a6

Browse files
password123456password123456
authored
Update README.md
1 parent 5b5e1b6 commit 4a9e3a6

File tree

1 file changed

+54
-42
lines changed

1 file changed

+54
-42
lines changed

README.md

+54-42
Original file line numberDiff line numberDiff line change
@@ -9,49 +9,71 @@ No any agents are required. Just set it up and you can distribute the configurat
99

1010
# Logging field information
1111

12-
ID | Field | Channel
12+
no | field | description
1313
----- | ----- | -----
14-
1 | time_now | current time
15-
2 | tme_hms | current time - hours/minutes/seconds
16-
3 | tty_number | Type and number of the current terminal session
17-
4 | user | current login username
18-
5 | is_root | current user is root or not
19-
6 | shell_status | check user prompt. if root "#", not root "$"
20-
7 | ip | IP address connecting from a remote
21-
8 | current_path | the current working directory in the shell
22-
9 | command | the command entered in the shell.
23-
10 | ps | A custom field that is left in the same way as the PS status of the shell.
14+
1 | ctime_hms | The current time in the format of HH:MM:SS.
15+
2 | login_user | The username of the user who is currently logged in.
16+
3 | sudo_user | The username of the user who used sudo to run the command. If sudo wasn't used, set this variable to "null".
17+
4 | is_root | Whether the current user is the root user. If the current user is the root user, set this variable to "y". Otherwise, set it to "n".
18+
5 | shell_status | The command prompt symbol. If the current user is the root user, set this variable to "#". Otherwise, set it to "$".
19+
6 | remote_ip | he IP address of the remote host that the user logged in from.
20+
7 | pwd | The current working directory.
21+
8 | command | The command that was executed.
22+
9 | cmd_retn_code | The return code of the command that was executed.
23+
10 | cmd_pid | The process ID of the command that was executed.
24+
11 | sudo_chk | Whether the command that was executed used sudo. If the command used sudo, set this variable to "y". Otherwise, set it to "n".
25+
12 | sudo_with | Whether sudo was used to run the command. If the current user is the root user, set this variable to "y". Otherwise, set it to the value of sudo_chk.
26+
13 | ps | The command prompt string.
27+
28+
# Variables in logging
29+
30+
no | field | description
31+
----- | ----- | -----
32+
1 | datetime | The date and time when the command was executed.
33+
2 | tty | The terminal device name.
34+
3 | bash_pid | The process ID of the current bash shell.
35+
4 | type | The type of the log entry. "new_login" or "logged_in".
36+
5 | username | The username of the user who executed the command.
37+
6 | sudo_user | The username of the user who used sudo to run the command. If sudo wasn't used, this variable is set to "null".
38+
7 | root | Whether the current user is the root user. If the current user is the root user, this variable is set to "y". Otherwise, it's set to "n".
39+
8 | ip | The IP address of the remote host that the user logged in from.
40+
9 | pwd | The current working directory.
41+
10 | cmd | The command that was executed
2442

2543
# SET-UP
2644

2745
1. Create a file named "e.g) history_log.sh" under the "/etc/profile.d/" directory and add the following code to it:
2846
```bash
29-
#!/bin/bash
47+
logger -p local7.notice -t cmd_h1st "datetime='$(date +"%Y-%m-%d %T")',tty='$(tty | cut -d '/' -f 3-4)',bash_pid='$$',type='new_login',username='$LOGNAME',message='$LOGNAME logged at $(date +"%Y-%m-%d %T") from $(tty | awk -F "/" '{print $3"/"$4}' | xargs -I % bash -c 'w | grep -i %' | awk '{print $3}')'"
3048

3149
function log_command {
32-
local time_now=$(date +"%Y-%m-%d %T")
33-
local time_hms=$(date +"%T")
34-
local tty_number=$(tty | cut -d '/' -f 4)
35-
local user=$(whoami)
50+
local ctime_hms=$(date +"%T")
51+
local login_user=$(whoami)
52+
local sudo_user=$([[ -z "$(echo $SUDO_USER)" ]] && echo "null" || echo "$SUDO_USER")
3653
local is_root=$([[ "$(id -u)" == "0" ]] && echo "y" || echo "n")
3754
local shell_status=$([[ "$(id -u)" == "0" ]] && echo "#" || echo "$")
38-
local ip=$(tty | awk -F "/" '{print $3"/"$4}' | xargs -I % bash -c 'w | grep -i %' | awk '{print $3}')
39-
local current_path=$(pwd)
40-
local command=$@
41-
local ps="[$time_hms][$user@$(hostname)]$current_path~$shell_status $command"
42-
43-
logger -p local6.info -t cmd_h1st "datetime='$time_now',tty='$tty_number',user='$user',root='$is_root',ip='$ip',pwd='$current_path',cmd='$command',ps='$ps'"
55+
local remote_ip=$(tty | awk -F "/" '{print $3"/"$4}' | xargs -I % bash -c 'w | grep -i %' | awk '{print $3}')
56+
local pwd=$(pwd)
57+
local command="$1"
58+
local cmd_retn_code="$2"
59+
local cmd_pid="$3"
60+
local sudo_chk=$(echo "$command" | grep -q "sudo" && echo "y" || echo "n")
61+
local sudo_with=$([[ "$(id -u)" == "0" ]] && echo "y" || echo "$sudo_chk")
62+
local ps="[$ctime_hms][$login_user@$(hostname)]$pwd~$shell_status $command"
63+
64+
logger -p local7.notice -t cmd_h1st "datetime='$(date +"%Y-%m-%d %T")',tty='$(tty | cut -d '/' -f 3-4)',bash_pid='$$',type='logged_in',username='$login_user',sudo_user='$sudo_user',root='$is_root',ip='$remote_ip',pwd='$pwd',cmd='$command',cmd_ret_code='$cmd_retn_code',cmd_pid='$cmd_pid',cmd_with_sudo='$sudo_with',ps='$ps'"
4465
}
4566

46-
PROMPT_COMMAND='log_command "$(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//")"'
67+
68+
PROMPT_COMMAND='__ret="$?"; __cmd=$(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//g"); __ppid=$(echo $$); __cpid=$(ps -o ppid= -o pid= | awk "\$1==${__ppid} {print \$2}"); log_command "${__cmd}" "${__ret}" "${__cpid}"'
4769

4870
```
4971

5072
2. Open the "/etc/rsyslog.conf" file and add the configuration to save in local6.info format to the "/var/log/command.log" file.
5173
```
5274
# vim /etc/rsyslog.conf
5375
.....
54-
local6.info /var/log/command.log
76+
local7.notice /var/log/command.log
5577
```
5678

5779
3. Restart the rsyslog service to apply the changes.
@@ -66,26 +88,15 @@ local6.info /var/log/command.log
6688

6789
```bash
6890
# cat /var/log/command.log
69-
..
7091
...
71-
.....
7292

73-
.... cmd_h1st[720030]: datetime='2023-02-11 00:16:27',tty='2',user='opc',root='n',ip='1*5.2**.*9.1**',pwd='/home/opc',cmd='sudo -i',ps='[00:16:27][opc@buddy]/home/opc~$ sudo -i'
74-
.... cmd_h1st[720061]: datetime='2023-02-11 00:16:29',tty='2',user='opc',root='n',ip='1*5.2**.*9.1**',pwd='/home/opc',cmd='env',ps='[00:16:29][opc@buddy]/home/opc~$ env'
75-
.... cmd_h1st[720093]: datetime='2023-02-11 00:17:12',tty='2',user='opc',root='n',ip='1*5.2**.*9.1**',pwd='/home/opc',cmd='ls',ps='[00:17:12][opc@buddy]/home/opc~$ ls'
76-
.... cmd_h1st[720659]: datetime='2023-02-11 07:16:51',tty='2',user='root',root='y',ip='1*5.2**.*9.1**',pwd='/root',cmd='exit',ps='[07:16:51][root@buddy]/root~# exit'
77-
.... cmd_h1st[720689]: datetime='2023-02-11 07:16:51',tty='2',user='root',root='y',ip='1*5.2**.*9.1**',pwd='/root',cmd='exit',ps='[07:16:51][root@buddy]/root~# exit'
78-
.... cmd_h1st[720719]: datetime='2023-02-11 07:16:52',tty='2',user='root',root='y',ip='1*5.2**.*9.1**',pwd='/root',cmd='exit',ps='[07:16:52][root@buddy]/root~# exit'
79-
.... cmd_h1st[720750]: datetime='2023-02-11 07:16:52',tty='2',user='root',root='y',ip='1*5.2**.*9.1**',pwd='/root',cmd='ll',ps='[07:16:52][root@buddy]/root~# ll'
80-
.... cmd_h1st[720797]: datetime='2023-02-11 07:18:14',tty='2',user='root',root='y',ip='1*5.2**.*9.1**',pwd='/root',cmd='vim /etc/rsyslog.conf ',ps='[07:18:14][root@buddy]/root~# vim /etc/rsyslog.conf '
81-
.... cmd_h1st[720827]: datetime='2023-02-11 07:18:16',tty='2',user='root',root='y',ip='1*5.2**.*9.1**',pwd='/root',cmd='history',ps='[07:18:16][root@buddy]/root~# history'
82-
.... cmd_h1st[720889]: datetime='2023-02-11 07:18:47',tty='2',user='root',root='y',ip='1*5.2**.*9.1**',pwd='/root',cmd='systemctl restart rsyslog.service ',ps='[07:18:47][root@buddy]/root~# systemctl restart rsyslog.service '
83-
.... cmd_h1st[720919]: datetime='2023-02-11 07:18:47',tty='2',user='root',root='y',ip='1*5.2**.*9.1**',pwd='/root',cmd='systemctl restart rsyslog.service ',ps='[07:18:47][root@buddy]/root~# systemctl restart rsyslog.service '
84-
.... cmd_h1st[720949]: datetime='2023-02-11 07:18:47',tty='2',user='root',root='y',ip='1*5.2**.*9.1**',pwd='/root',cmd='systemctl restart rsyslog.service ',ps='[07:18:47][root@buddy]/root~# systemctl restart rsyslog.service '
85-
.... cmd_h1st[720983]: datetime='2023-02-11 07:21:38',tty='2',user='nara',root='n',ip='1*5.2**.*9.1**',pwd='/home/nara',cmd='sudo -i',ps='[07:21:38][nara@buddy]/home/nara~$ sudo -i'
86-
.... cmd_h1st[721013]: datetime='2023-02-11 07:21:39',tty='2',user='nara',root='n',ip='1*5.2**.*9.1**',pwd='/home/nara',cmd='sudo -i',ps='[07:21:39][nara@buddy]/home/nara~$ sudo -i'
87-
.... cmd_h1st[721044]: datetime='2023-02-11 07:21:48',tty='2',user='nara',root='n',ip='1*5.2**.*9.1**',pwd='/home/nara',cmd='ls -al /etc',ps='[07:21:48][nara@buddy]/home/nara~$ ls -al /etc'
88-
.... cmd_h1st[721077]: datetime='2023-02-11 07:21:55',tty='2',user='nara',root='n',ip='1*5.2**.*9.1**',pwd='/home/nara',cmd='df -h /var/log',ps='[07:21:55][nara@buddy]/home/nara~$ df -h /var/log'
93+
... cmd_h1st[987170]: datetime='2023-02-22 16:19:21',tty='pts/2',bash_pid='983421',type='logged_in',username='user1',sudo_user='null',root='n',ip='192.168.100.1',pwd='/home/user1',cmd='ps -ef',cmd_ret_code='0',cmd_pid='987133',cmd_with_sudo='n',ps='[16:19:21][user1@testwork9]/home/user1~$ ps -ef'
94+
... cmd_h1st[987213]: datetime='2023-02-22 16:19:22',tty='pts/2',bash_pid='983421',type='logged_in',username='user1',sudo_user='null',root='n',ip='192.168.100.1',pwd='/home/user1',cmd='ls -al',cmd_ret_code='0',cmd_pid='987176',cmd_with_sudo='n',ps='[16:19:22][user1@testwork9]/home/user1~$ ls -al'
95+
... cmd_h1st[987256]: datetime='2023-02-22 16:19:39',tty='pts/2',bash_pid='983421',type='logged_in',username='user1',sudo_user='null',root='n',ip='192.168.100.1',pwd='/home/user1',cmd='ls -al',cmd_ret_code='0',cmd_pid='987219',cmd_with_sudo='n',ps='[16:19:38][user1@testwork9]/home/user1~$ ls -al'
96+
... cmd_h1st[987299]: datetime='2023-02-22 16:19:40',tty='pts/2',bash_pid='983421',type='logged_in',username='user1',sudo_user='null',root='n',ip='192.168.100.1',pwd='/home/user1',cmd='w',cmd_ret_code='0',cmd_pid='987262',cmd_with_sudo='n',ps='[16:19:40][user1@testwork9]/home/user1~$ w'
97+
... cmd_h1st[987342]: datetime='2023-02-22 16:19:42',tty='pts/2',bash_pid='983421',type='logged_in',username='user1',sudo_user='null',root='n',ip='192.168.100.1',pwd='/home/user1',cmd='ps',cmd_ret_code='0',cmd_pid='987305',cmd_with_sudo='n',ps='[16:19:42][user1@testwork9]/home/user1~$ ps'
98+
... cmd_h1st[987387]: datetime='2023-02-22 16:19:46',tty='pts/2',bash_pid='983421',type='logged_in',username='user1',sudo_user='null',root='n',ip='192.168.100.1',pwd='/home/user1',cmd='cat /etc/shadow',cmd_ret_code='1',cmd_pid='987350',cmd_with_sudo='n',ps='[16:19:46][user1@testwork9]/home/user1~$ cat /etc/shadow'
99+
... cmd_h1st[987430]: datetime='2023-02-22 16:19:49',tty='pts/2',bash_pid='983421',type='logged_in',username='user1',sudo_user='null',root='n',ip='192.168.100.1',pwd='/home/user1',cmd='abcdefg',cmd_ret_code='127',cmd_pid='987393',cmd_with_sudo='n',ps='[16:19:49][user1@testwork9]/home/user1~$ abcdefg'
89100

90101
```
91102

@@ -94,3 +105,4 @@ local6.info /var/log/command.log
94105
- If necessary make additional fields and apply.
95106
- In case multiple users log in with the same username, we can individually identify who they are.
96107
- By default, when a user change level to root, their IP address is lost, so making it impossible to recored the user's remote connection ip, but it is fine now. IP is recorded in all cases.
108+
- Final updated at 2023.02.22

0 commit comments

Comments
 (0)