Table of Contents

How to save the operation log on Linux(script, audit, snoopy, psacct, history etc)



history [My recommendation]

.bash_profile or .bashrc

or /etc/bashrc

HISTSIZE=5000
HISTTIMEFORMAT=%Y/%m/%d %H:%M:%S




script [My recommendation]

/etc/profile

Execute the script command only if the parent process is sshd

P_PROC=`ps aux | grep $PPID | grep sshd | awk '{ print $11 }'`
if tty -s;then
if [ "$P_PROC" = sshd: ]; then
  script -q -f /var/log/script/`date '+%Y%m%d_%H%M%S'`_`whoami`.log
  exit
fi
fi
mkdir /var/log/script
chmod 777 /var/log/script


How to read script log

Remove escape sequences and color codes

cat /var/logscript/xxxxx.log | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})*)?m//g" | col > log.txt




audit [My recommendation]

Configuration for saving all execution commands

/etc/audit/rules.d/audit.rules

# vi /etc/audit/rules.d/audit.rules

## Rule01
-a exit,always -S execve
# augenrules --load    <- reload
# auditctl -l             <- check route

How to log rotation

/etc/audit/auditd.conf

# Number of files to save
num_logs = 999

# Log file size (MegaBytes)
max_log_file = 10

max_log_file_action = ROTATE
num_logs must be 999 or less.

10MB x 100  =  1,000MB  = 1GB
10MB x 500  =  5,000MB  = 5GB
10MB x 1000  =  10,000MB  = 10GB

LogFile

/var/log/audit/audit.log




Bash's function [My recommendation]

Send execution command to syslog [My recommendation]

/etc/bash.bashrc.local
/etc/profile or /etc/bashrc (RHEL)

function log_history { 
    logger -p local1.notice -t history -i "$$, $(logname),$USER, $PWD, $BASH_COMMAND"
} 
readonly -f log_history 
trap log_history DEBUG EXIT


Save history to file on exit

/etc/bash.bashrc.local

function save_history() {
    HISTTIMEFORMAT='%F %H:%M:%S '
    SAVED_HISTORY_FILE=/var/log/history/.sh_history.$(logname)+$USER.$(date +%Y%m%d%H%M%S)
    history > $SAVED_HISTORY_FILE
    : > ~/.bash_history
}
trap save_history EXIT




psacct

How to use psacct

sysstemctl status psacct

sysstemctl start psacct
sysstemctl enable psacct

Log File

/var/account/pacct

How to check psacct log

lastcomm --user ec2-user




Snoopy Logger

How to install snoopy log

## Ubuntu/Debian
apt-get install snoopy

## RHEL
yum install --enalberepo=epel snoopy

How to read snoopy log

/var/log/auth.log (Ubuntu/Debian)
/var/log/secure (RHEL/CentOS)

cat /var/log/secure |grep snoopy