[logs] How to log - commands and file access

Karl Vogel vogelke at pobox.com
Sat Nov 24 16:48:46 PST 2007 

>> On Fri, 9 Nov 2007 09:25:47 +0100, 
>> david.bigot at devoteam.com said:

D> I want to know for a customer, how to log automatically on UNIX and
D> Linux system:

D> - all commands executed (in BASH, ZSH & co ...). I know but the file
D> ~/.(ba)sh_history but I prefer a global file or through syslog.

   I use ZSH plus a shell function to keep track of my command history through
   syslog, in case I mangle my own history file.  The shell function is called
   "precmd", and it runs after you type a command at the prompt.

     # Log commands, return codes and the current working directory.
     # Based on:
     #
     #   http://blogs.sun.com/chrisg/entry/logging_commands_in_korn_shell
     #   Logging commands in korn shell
     #   Chris Gerhard
     #   Thu, 2 Mar 2006 09:47:29 -0500
     #
     # Don't try to put local on the x= line.  If you do,
     # any command arguments (i.e., "ls -la") will throw an error:
     #   precmd:local:2: not an identifier: -la

     precmd () {
         typeset -i stat=$?
         local x
         x=$(fc -ln -1)
         local d=$(/bin/pwd) 
         logger -p local2.notice -t "$LOGNAME $$" $stat: $d: \($x\)
     }

   I save the return code from the command plus the (possibly changed) working
   directory.  Each logfile line holds the hostname, my userid, the shell
   process id, the return code, the directory, and the command I ran plus
   arguments in parentheses.  The "local2" log file looks like this:

     Nov 24 18:26:34 myhost vogelke 48701: 1: /src: (man align)
     Nov 24 18:27:20 myhost vogelke 48700: 0: /home/vogelke: (cd)
     Nov 24 18:27:23 myhost vogelke 48700: 0: /var/mail: (cd /var/mail)
     Nov 24 18:27:23 myhost vogelke 48700: 0: /var/mail: (dir)
     Nov 24 18:27:42 myhost vogelke 48700: 0: /var/mail: (from)

   I keep the shell process id because I usually have two xterms going, and I
   frequently switch back and forth; this keeps the command order straight.
   On the first line, you can see that there's no man entry for align, so I
   got a "1" for the return code.  The second line shows me going home, etc.

-- 
Karl Vogel                   I don't speak for the USAF or my company

Aim towards the Enemy.       --instruction printed on US Rocket Launcher

More information about the LogAnalysis mailing list