The previous article explained displaying all Linux commands using the history command. But sometimes I have trouble if the root user comes from another Linux user so I am confused about troubleshooting which user is running the Linux command which may be dangerous for the server.
How to log all commands in Linux?
Here are ways to log all commands in Linux and it works on OpenSUSE, Ubuntu/Debian, and RedHat-Based distro:
1. Changing the bashrc file
Modify the /etc/bashrc file by adding the following script to it:
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" )"'
After that do the command below:
2. Change the bash.conf file
Modify /etc/rsyslog.d/bash.conf file by adding the following script to it:
3. Changing the syslog file
Modify the /etc/logrotate.d/syslog file by adding the following script to it:
4. Restart the rsyslog service
Then restart the rsyslog service using the command:
systemctl restart rsyslog
After that, try to do the test by logging in as an ordinary Linux user and doing Linux commands. Then change the user to the root user and perform Linux commands it should all commands executed will be recorded in the /var/log/commands.log file as shown below:
Since the /var/log/commands.log file stores all the commands executed by the user, you must pay attention to the size of the file because the file size can be very large.