Originally posted by: Jack_

Hello everyone,
I’ve been trying to send all the commands executed by the users to syslog.
I've tried this:
sudo tail -f /home/username/.sh_history| logger -p local7.notice

When the user types any command a new entry is created on syslog, but it doesn't contain the command itself, as follows:
Aug 26 14:55:58 ddasy040 local7:notice username:

What should I change to have the last command appended to the .sh_history file being passed to the logger command?

Any help will be greatly appreciated!

Best regards,

Jack
#AIX-Forum

Originally posted by: Jack_

Hello everyone,
I've found a way of doing it. I can add the following code on the end of the /etc/profile file:

syslog_exist=$(ps -ef |grep "tail -0f $HISTFILE"|grep -v grep |wc -l)

if [ $syslog_exist -eq 0 ]
then
tail -0f $HISTFILE| while read linha
do
text=`echo "WHO = $LOGNAME, CMD ="`
logger -p local7.notice -t $text $linha
done &
fi

At the time that some user login it will start a background tail on the user's History.
Every time that the user's types something it will update the history file and the entry will be send to syslog.
The only problem with this aproach is when the user does something like this:
sudo su - username2 -c echo
This command will start the tail on the username2 history file but it is not finished when the output of the command is returned. So I ended with tail on username's histories when the user is not logged in. I can create another script that can clean this up but I would like to find a simpler solution. Any suggestion?

Best Regards,

Jack
#AIX-Forum

Originally posted by: Casey_B

I should preface this by saying that I never had to save all user commands on a system.
Usually, we disallowed "sudo su -" and as many other similar commands, and then logged all sudo access to a different
machine. ( We used sudo for root, and also for the db2 admin id's, and other privileged id's)

The knowledge below comes from consulting the google: (history to syslog)

You might want to test and see if fc will be less resource intensive than tail.
Also, I seem to remember that the history file is circular in some way.
I don't know how tail will continue to work for a long running user process.

http://posludio.wordpress.com/2007/11/02/bash-history-to-a-remote-syslog/

traps like they describe above work in ksh88 on AIX, with one exception...
typeset should be substituted for declare.

I still think that is going to be pretty resource intensive if you have any
number of users logging into the machine.

In that case, here is an interesting, if not longer to implement idea:
Compile your own bash to send the syslog entries.

http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/

Good luck,
Casey
#AIX-Forum

Originally posted by: Jack_

Hello Casey,

Thank you very much for your reply!
I have already tried the trap DEBUG/fc approach to send the history to syslog but it caused huge performance degradation. As DB2 users have a lot of declaration inside its .profile file, having the trap code to be run after every statement repeating each line (this is what trap DEBUG does) cause a performance problem. Out of curiosity, with this aproach a simple "sudo su - db2user -c echo" that usually takes less than a second, took more than 8 seconds to complete.

Thank you,

Jack
#AIX-Forum

Originally posted by: Sanjeev Gopal

Hi Jack, I realize this is a very old thread. Did you get around to completing your work on this? I'm able to send bash history to syslog, with some caveats, but no luck with sh and ksh.

#AIX-Forum

Originally posted by: SystemAdmin

Hi Jack,

The following needs a bit of fleshing out and testing.
1. Create a FIFO; e.g. mkfifo /sh_history
2. Have a script running continuously for the FIFO; e.g.

while (( 1 == 1 )) 

do logger < /sh_history done

3. Set HISTFILE in /etc/profile; e.g. HISTFILE=/sh_history; export HISTFILE

The script is simple, and could be improved. Without the loop, you will only get one use of the logger.

Regards,
George
#AIX-Forum