Logging bash commands

I once had a requirement to log bash commands and I checked many solutions like Snoopy, but none of them were proper for a production environment. So the below is the most simple method to add logging to bash in Linux.

Steps

Modify bash config

First step is to modify the configuration file for bash

Open /etc/bashrc with the following command

sudo vim /etc/bashrc

After that, add the following line to the end of the file

PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p local6.info -t "$USER[$$] $SSH_CONNECTION")'

The above entry basically logs all the bash history (commands) to the local6.info log severity.

This will start working only after logging out and logging in again (Or you can manually source the new bashrc)

Modify Rsyslog config

Now to actually log the bash commands, the Rsyslog configuration must be edited to send all the local6.* logs to the /var/log/secure file

So open up Rsyslog config with the following command

sudo vim /etc/rsyslog.conf

And then change the existing secure log entry

from

authpriv.*                                 /var/log/secure

to

authpriv.*,local6.*                        /var/log/secure

After this, restart Rsyslog with the following command

sudo systemctl restart rsyslogd.service

Conclusion

This will enable bash logging but do note that this will enable only bash logging. If there is any other shell like sh or zsh, this method will not log the commands run using those shells.

Also anyone can put any commands in a script and run it and this will only log the name of the script and not the commands inside the script.