Logging shell commands and send it out

reaky · August 4, 2009, 5:20am

Dear friends
I'm looking for a solution to log all commands that users do in my RedHat box, and send it out to other remote server,
Is there any guide for that
Thanks

---------- Post updated at 04:20 AM ---------- Previous update was at 03:47 AM ----------

I can think of something else
I already have a sloution to logg all commands but in the same local machine
and have have a syslog server,
Now how I can make syslog logs this file that have commands logs?

TonyFullerMalv · August 4, 2009, 6:09pm

Run something like:

cat userlogfile | logger -p auth.notice

as the user logs out?

reaky · August 10, 2009, 8:57am

Nice Idea
But this will make this once , I want to make the userlogfile always under monitoring, Which means that any updates happened on it logged by syslog once it happened.

Thanks

unSpawn · August 13, 2009, 9:47am

Have a look at 'rootsh'.

Rootsh can log to syslog so the only thing you need to do is make the remote syslog server also listen for external syslog messages and configure your local syslog server to send messages to remote.

If you want to separate syslogs and (can) use Syslog-NG check SourceForge.net: rootsh: for "how to" details.

fpmurphy · August 19, 2009, 8:54am

ksh93 supports this feature by default using the audit/accounting facility. See KSH93 Auditing and Accounting for more information.

bash does not have any facilities to do this but if you search the Internet you will find patches out there which enable you to build a custom version of bash to provide this feature.

unSpawn · August 19, 2009, 12:34pm

That's all nice but that patched Ksh does not hook into Syslog (wrt an implications of an application being allowed to do housekeeping on its own auditing, corellation benefits of centralized timestamping, remote logging opportunity) like 'rootsh' or 'sudosh' could. In that respect it is more akin to the Honeypot Bash patches Anotatla provided at the time. Also the article does not show any output is recorded like aforementioned applications could.

fpmurphy · August 23, 2009, 10:24am

Unspawn said

First it is not a patched ksh93. No patches are required.

Second, you obviously did not read the post. Towards the end it provides a detailed example of how to do exactly what you are claiming it cannot do.

unSpawn · August 23, 2009, 3:25pm

Apparently it can do remote TCP or UDP, I must have read over that. But with syslogging I mean using a facility/prio combo as in 'man 3 syslog' like the others do. I suppose I should have been more specific there.