一,首先要写一个记录shell执行的每一条命令的脚本,放入到/etc/profile.d/ 目录中
#记录shell执行的每一条命令 export PROMPT_COMMAND='\ if [ -z "$OLD_PWD" ];then export OLD_PWD=$PWD; fi; if [ ! -z "$LAST_CMD" ] && [ "$(history 1)" != "$LAST_CMD" ]; then logger -p local4.info -t shell_cmd "`whoami`_shell_cmd [$OLD_PWD] real_user=`who am i|cut -d" " -f 1` $(history 1)"; fi ; export LAST_CMD="$(history 1)"; export OLD_PWD=$PWD;'
立即生效
source /etc/profile.d/cmd.sh
二、在rsyslog日志中配置要发送的位置(可以是本地,也可以是远程服务器端)
/etc/rsyslog.conf
加入以下一行即可
local4.*/var/log/cmd.log
重新启动服务
systemctl restart rsyslog
三、测试
tail -f /var/log/cmd.log Oct 2 22:09:44 node-host3 shell_cmd: user_shell_cmd [/tmp] real_user=user 9 2020-10-02-22:09:44 rm -rf yum_save_tx.2020-09-27.17-41.yaVxRi.yumtx Oct 2 22:10:05 node-host3 shell_cmd: user_shell_cmd [/tmp] real_user=user 10 2020-10-02-22:10:00 passwd Oct 2 22:10:05 node-host3 shell_cmd: user_shell_cmd [/tmp] real_user=user 11 2020-10-02-22:10:05 skdlfj;ajdf