How can I log all csh commands history to syslog?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6

Issue

  • Need to keep track of all csh commands executed by users in syslog.

Resolution

  • The precmd option allows for the execution of a given command before csh prompts for command line input. This option could be used to send a copy of the last command line to syslog.
  • You could create a file called /etc/profile.d/sysloghistory.csh containing the following:
alias precmd "history 1 | /bin/logger -p local1.notice -t `echo $SHELL`:`whoami`:`pwd`:`ip r l |cut -d' ' -f12` -i "

Note: This resolution spawns new process at each command logged, so it might not be a best solution if your system is in a heavy load.
To save this log messages into a particular log file, add below line in /etc/syslog.conf (for RHEL4/5) or /etc/rsyslog.conf (for RHEL6):

    local1.notice                           /var/log/history.log

Run below command to apply this change:

  • Red Hat Enterprise Linux 4/5
# service syslog restart
  • Red Hat Enterprise Linux 6
# service rsyslog restart

For more information about the syslog.conf (RHEL4/5) or rsyslog.conf (RHEL6) configuration, please refer to its man page.

Disclaimer : Please note that the script within this article is provided for customer benefit, but, is not supported by Red Hat. Customers can use it "as it is" or by customizing it appropriately. Red Hat does not support custom scripts. Please refer the below article for scope of coverage(What Red Hat supports): support coverage

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

1 Comments

Using syslog to capture csh history seems a lousy match to sh/basj/ksh HISTFILE. Would this be better accomplished with Auditing?