#!/bin/bash
export HISTTIMEFORMAT='%F %T '
export HISTCONTROL=ignoredups
if $(who am i | grep -q -e '(' -e ')'); then
LOGIN_FORM=$(who am i | awk '{print $NF}' | sed -e 's/[()]//g')
elif $(who am i | grep -q tty); then
LOGIN_FORM=$(who am i | awk '{print $2}')
elif [ -n "$DISPLAY" ]; then
LOGIN_FORM=$DISPLAY
elif [ -n "$SSH_CLIENT" ]; then
LOGIN_FORM=$(echo $SSH_CLIENT | awk '{print $1}')
fi
logger -p local6.debug -- "from=${LOGIN_FORM}, USER=$USER, PID=$$, PWD=$PWD, LOGIN: 'success'"
function history_to_syslog {
cmd=$(history 1 | awk '{print substr($0,28)}')
if [ -n "${old_command}" -a "${cmd}" != "${old_command}" ]; then
logger -p local6.debug -- "from=${LOGIN_FORM}, USER=$USER, PID=$$, PWD=$PWD, CMD: ${cmd}"
fi
old_command=${cmd}
}
trap history_to_syslog DEBUG || EXIT
使用脚本记录系统登录和操作日志
1.将history.sh脚本放在/etc/profile.d/目录下
2.系统注销登录重新登录即可生效。
将本地日志发送到日志服务器方法如下:
1.修改/etc/rsyslog.conf配置文件:
开启UDP方式发送日志
$ModLoad imudp
$UDPServerRun 514
*.* @1.2.70.50:514
2.重启rsyslog服务:
systemctl restart rsyslog
将history日志发送到日志服务器方法如下:
1.将history.sh脚本放在/etc/profile.d/目录下
2.在/etc/rsyslog.conf添加如下配置:
local6.debug -/var/log/history
3.重启rsyslog服务:
systemctl restart rsyslog.service
