Setting Up a Command Logging System for Ubuntu

Following the initial Ubuntu server setup there are also some other things you should think on doing if your server has particularly sensible data stored or is accessible by various users, one of them is to set up a command logging system. We'll create a logging system to register all commands executed by all the users. This will not only allow you to monitor what other users may be doing on your server, but also to detect if you've been attacked and someone is executing commands under your nose. This one's credit goes completely to AskUbuntu, I'm just passing the word.

Presuming you and/or other users use the typical BASH command line shell let's start by editing the runtime file with:

sudo nano /etc/bash.bashrc

And to the end of that file add this line:

export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'

This is the command that tells the syslog to register and exprt to a log file, all the commands entered by a user, as well as the username for the user that entered it, and the timestamp for when it was triggered. The local6 part, tells that we only want the "informational" logs, think of locals as filters for the logging system.

They range from local0 to local7, and as the number rises, also the degree of detail/coverage. For example, 0 is calssified as "emergency", meaning it will only be triggered in emergency warnings, 7 is classified as "debug", it is the highest number of detail/coverage. We'll use local6 because we just want informational detail level on the command logs. The full range of locals goes like this:

  • 0 => Emergency
  • 1 => Alert
  • 2 => Critical
  • 3 => Error
  • 4 => Warning
  • 5 => Notification
  • 6 => Informational
  • 7 => Debug

Back to where we were, save the file and now let's set up logging for local6, this is done with a config file, do it like this:

sudo nano /etc/rsyslog.d/bash.conf

And add the following line, I'll use /var/log/commands.log as the location for my commands log, you can alter this, but it is recommended that it stays in the var/log directory.

local6.*    /var/log/commands.log

And restart the rsyslog with:

sudo service rsyslog restart

Now let's set up log rotation, log rotation rotates logs by deleting old ones, archive or even email them based on the size or age of log, this is a good way to prevent log files from growing in uncontrolled ways, for this we'll use the logrotate command. The logrotate command usually comes pre-installed with Ubuntu, but just in case, let's check for updates and install it if it isn't already installed.

sudo apt-get update && sudo apt-get install logrotate

If this is already installed you'll get an output like this:

logrotate is already the newest version.

Now let's edit the config file to also rotate our commands.log file. There are already some some other logs in the file:

sudo nano /etc/logrotate.d/rsyslog

Add your commands.log file in the last group, so that it turns to:

/var/log/syslog
{
        rotate 7
        daily
        missingok
        notifempty
        delaycompress
        compress
        postrotate
                reload rsyslog >/dev/null 2>&1 || true
        endscript
}

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
/var/log/commands.log
{
        rotate 4
        weekly
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                reload rsyslog >/dev/null 2>&1 || true
        endscript
}

Now save the file, log out and log in and you should start seeing the commands being logged!

Tiago

Tiago Ferreira

Read more posts by this author.

London, United Kingdom