rsyslog 配置用户行为日志审计

在/etc/profile.d/建立一个clinet.sh文件
    vim /etc/profile.d/client.sh  
    export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger -p local4.info ["LOCAL|`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-eth0|sed 's/IPADDR=//g'`" -- "SSH|$SSH_CONNECTION $SSH_TTY" -- "USER|$USER" -- "PWD|$PWD"]: "$msg"; }'"  
在/etc/rsyslog.conf中添加这条
 local4.*                                                /var/log/cmd_track.log  
重启rsyslog服务:
    /etc/init.d/rsyslog restart  
systemctl restart rsyslog
netstat -aulntp | grep rsyslog
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      20228/rsyslogd      
tcp6       0      0 :::514                  :::*                    LISTEN      20228/rsyslogd      
udp        0      0 0.0.0.0:514             0.0.0.0:*                           20228/rsyslogd      
udp6       0      0 :::514                  :::*                                20228/rsyslogd     
完成后会在/var/log/下出现一个600权限的cmd_track.log日志

你可能感兴趣的:(LINUX)