LogAnalysis
[logs] CanSecWest 2008 CFP (deadline Nov 30,conf Mar 26-28) and PacSec Dojo's Nov 09 2007 04:24AM
Dragos Ruiu (dr kyx net) (1 replies)
[logs] How to log - commands and file access Nov 09 2007 08:25AM
david bigot devoteam com (7 replies)
Re: [logs] How to log - commands and file access Mar 03 2008 07:24AM
Cesare (tensi mclink it)
Re: [logs] How to log - commands and file access Nov 25 2007 12:48AM
Karl Vogel (vogelke pobox com)
>> On Fri, 9 Nov 2007 09:25:47 +0100,
>> david.bigot (at) devoteam (dot) com [email concealed] said:

D> I want to know for a customer, how to log automatically on UNIX and
D> Linux system:

D> - all commands executed (in BASH, ZSH & co ...). I know but the file
D> ~/.(ba)sh_history but I prefer a global file or through syslog.

I use ZSH plus a shell function to keep track of my command history through
syslog, in case I mangle my own history file. The shell function is called
"precmd", and it runs after you type a command at the prompt.

# Log commands, return codes and the current working directory.
# Based on:
#
# http://blogs.sun.com/chrisg/entry/logging_commands_in_korn_shell
# Logging commands in korn shell
# Chris Gerhard
# Thu, 2 Mar 2006 09:47:29 -0500
#
# Don't try to put local on the x= line. If you do,
# any command arguments (i.e., "ls -la") will throw an error:
# precmd:local:2: not an identifier: -la

precmd () {
typeset -i stat=$?
local x
x=$(fc -ln -1)
local d=$(/bin/pwd)
logger -p local2.notice -t "$LOGNAME $$" $stat: $d: \($x\)
}

I save the return code from the command plus the (possibly changed) working
directory. Each logfile line holds the hostname, my userid, the shell
process id, the return code, the directory, and the command I ran plus
arguments in parentheses. The "local2" log file looks like this:

Nov 24 18:26:34 myhost vogelke 48701: 1: /src: (man align)
Nov 24 18:27:20 myhost vogelke 48700: 0: /home/vogelke: (cd)
Nov 24 18:27:23 myhost vogelke 48700: 0: /var/mail: (cd /var/mail)
Nov 24 18:27:23 myhost vogelke 48700: 0: /var/mail: (dir)
Nov 24 18:27:42 myhost vogelke 48700: 0: /var/mail: (from)

I keep the shell process id because I usually have two xterms going, and I
frequently switch back and forth; this keeps the command order straight.
On the first line, you can see that there's no man entry for align, so I
got a "1" for the return code. The second line shows me going home, etc.

--
Karl Vogel I don't speak for the USAF or my company

Aim towards the Enemy. --instruction printed on US Rocket Launcher
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
RE: [logs] How to log - commands and file access Nov 12 2007 11:37PM
Kurt Buff (KBuff zetron com) (1 replies)
RE: [logs] How to log - commands and file access Nov 13 2007 10:01PM
David Corlette (dcorlette novell com) (1 replies)
Re: [logs] How to log - commands and file access Nov 13 2007 11:31PM
Matt Cuttler (mcuttler bnl gov)
Re: [logs] How to log - commands and file access Nov 12 2007 02:47PM
Mike Blomgren (mike blomgren tornado se) (1 replies)
Re: [logs] How to log - commands and file access Nov 12 2007 03:15PM
david bigot devoteam com (1 replies)
Re: [logs] How to log - commands and file access Nov 13 2007 04:07AM
Anton Chuvakin (anton chuvakin org)
Re: [logs] How to log - commands and file access Nov 09 2007 08:09PM
Anton Chuvakin (anton chuvakin org) (2 replies)
Re: [logs] How to log - commands and file access Nov 10 2007 03:49PM
James B Horwath (Jim_Horwath glic com)
Re: [logs] How to log - commands and file access Nov 10 2007 02:21AM
James Turnbull (james lovedthanlost net)
Re: [logs] How to log - commands and file access Nov 09 2007 07:38PM
Vincent Bernat (bernat luffy cx)
Re: [logs] How to log - commands and file access Nov 09 2007 07:10PM
Stephen John Smoogen (smooge gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus