# How to log all bash commands to syslog

## Martin Cmelik

Hi,

I spend many hours on google to find something useable.

I found only things which modify PROMPT_COMMAND as this:

```
cat >> /etc/bashrc << !EOF

# Log users commands

if [ "$BASH" ]; then

PROMPT_COMMAND="history -a;$PROMPT_COMMAND";

readonly PROMPT_COMMAND

readonly HISTSIZE

readonly HISTFILE

readonly HOME

readonly HISTIGNORE

readonly HISTCONTROL

fi

# End of log

!EOF

```

Or some overkill script like that: http://jeetworks.org/node/80

But none of them can log command to syslog (in same time when user execute it).

Another "solution" can be psacct (process accounting) but it will not log parameters of command what is necessary.

I am very disappointed that bash doesn't have this feature by default.

If someone can, please help.

Thanks a lot!

----------

## richard.scott

why not put something in the users ~/.bash_logout to process ~/.bash_history?

----------

## Martin Cmelik

 *richard.scott wrote:*   

> why not put something in the users ~/.bash_logout to process ~/.bash_history?

 

because users can delete it or simply use 

```
$history -c
```

 when logout

also when system crash you will not have any commands in files because its saved when user logout

----------

## richard.scott

setup an alias for history so they can't use the command.

the .bash_history isn't written until the user logs out. so they'd not be able to delete it easily.

Rich

----------

## Martin Cmelik

 *richard.scott wrote:*   

> setup an alias for history so they can't use the command.
> 
> the .bash_history isn't written until the user logs out. so they'd not be able to delete it easily.
> 
> Rich

 

Hi,

it is not solution. They can use different alias for history -c

When they use history -c you will see in .bash_history only $history -c

And this also doesnt send commands to syslog (syslog then send this output to remote syslog server)

----------

## boerKrelis

Have you looked into the 'bashlogger' use-flag for bash?

But it's an uphill battle. If I'd want to remove something without you finding out, I'd just install my own bash. Or I'd start python and "import os; os.remove('foo')" etc.

You could also use accounting to find out who ran what, when (but it doesn't show the arguments).

----------

## Martin Cmelik

 *boerKrelis wrote:*   

> Have you looked into the 'bashlogger' use-flag for bash?
> 
> But it's an uphill battle. If I'd want to remove something without you finding out, I'd just install my own bash. Or I'd start python and "import os; os.remove('foo')" etc.
> 
> You could also use accounting to find out who ran what, when (but it doesn't show the arguments).

 

You guided me on right way!

For others: http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/

and bashlogger is needed USE flag

Thanks boerKrelis!

----------

## Martin Cmelik

For all other I have found easiest way...

It seems that I have problem in /etc/bashrc when I put my PROMPT_COMMAND after "mesg n"

This works like a charm:

```
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local5.info "$HOSTNAME [HIST] : $SSH_CLIENT : $PWD : $msg"; }'
```

then simply add to syslog:

```
local5.info                                             @192.168.1.1
```

I found it here: http://www.tonynotes.com/index.php/How_to_install_syslog-ng_on_Linux

----------

