Compile bash to implement syslogs of history

Source: Internet
Author: User
Tags rsyslog rpmbuild

Compile bash to implement syslogs of history
1. Compile BASH to implement bash's syslog logging function 1. this article will use the bash software to implement the history Logging Function to syslog logs, and this method can be used to realize real-time transfer to the remote log centralized server, which can implement the audit function of operation logs.

Operating system version: CentOS 6.5x64

2. Install the bash source package corresponding to 6.5

# Wget http://vault.centos.org/6.5/ OS /Source/SPackages/bash-4.1.2-15.el6.src.rpm
# Rpm-I bash-4.1.2-15.el6_4.src.rpm

# Ignore the Installation Warning.
Warning: bash-4.1.2-15.el6_4.src.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Warning: user mockbuild does not exist-using root
Warning: group mockbuild does not exist-using root
Warning: user mockbuild does not exist-using root
Warning: group mockbuild does not exist-using root
Warning: user mockbuild does not exist-using root
Warning: group mockbuild does not exist-using root
Warning: user mockbuild does not exist-using root
Warning: group mockbuild does not exist-using root
Warning: user mockbuild does not exist-using root
...
Warning: group mockbuild does not exist-using root
Warning: user mockbuild does not exist-using root
Warning: group mockbuild does not exist-using root
Warning: user mockbuild does not exist-using root
Warning: group mockbuild does not exist-using root
Warning: user mockbuild does not exist-using root

[Root @ localhost soft] #

After the installation is complete, the following directory structure is created in the current user's home directory.

[Root @ localhost ~] # Pwd
/Root
# Ls
Anaconda-ks.cfg bash-4.1.2-15.el6_4.src.rpm install. log install. log. syslog rpmbuild public template video image document download music Desktop
[Root @ localhost ~] # Tree rpmbuild/
Rpmbuild/
── SOURCES
│ ── Bash-2.02-security.patch.
│ ── Bash-2.03-paths.patch.
│ ── Bash-2.03-profile.patch.
│ ── Bash-2.05a-interpreter.patch.
│ ── Bash-2.05b-debuginfo.patch.
│ ── Bash-2.05b-manso.patch.
│ ── Bash-2.05b-pgrp_sync.patch.
│ ── Bash-2.05b-readline-oom.patch.
│ ── Bash-2.05b-xcc.patch.
│ ── Bash-3.2-audit.patch.
│ ── Bash-3.2-ssh_source_bash.patch.
│ ── Bash-4.0-nobits.patch.
│ ── Bash41-001.
│ ── Bash41-002.
│ ── Bash-4.1-bind_int_variable.patch.
│ ── Bash-4.1-broken_pipe.patch.
│ ── Bash-4.1-defer-sigchld-trap.patch.
│ ── Bash-4.1-examples.patch.
│ ── Bash-4.1-logout.patch.
│ ── Bash-4.1-manpage.patch.
│ ── Bash-4.1-manpage_trap.patch.
│ ── Bash-4.1-signal.patch.
│ ── Bash-4.1.tar.gz.
│ ── Bash-4.1-trap.patch.
│ ── Bash-bashbug.patch.
│ ── Bash-infotags.patch.
│ ── Bash-requires.patch.
│ ── Bash-setlocale.patch.
│ ── Bash-tty-tests.patch.
│ ── Dot-bash_logout.
│ ── Dot-bash_profile.
│ ── Dot-bashrc
── SPECS
── Bash. spec

2 directories, 33 files

2. Go to the directory to solve the bash-4.1 source code package directory.

[Root @ localhost ~] # Cd/root/rpmbuild/SOURCES/
[Root @ localhost SOURCES] # tar zxvf bash-4.1.tar.gz
[Root @ localhost SOURCES] # cp-a bash-4.1 bash-4.1-orig
[Root @ localhost SOURCES] #
[Root @ localhost SOURCES] # cd bash-4.1
[Root @ localhost bash-4.1] #

3. modify code snippet 1

# Vim config-top.h.

# Cancel the comments of line 1 and modify the following code to the following content. By default, logs are recorded in the/var/log/message file, which is adjusted to the file specified by local1.debug.

/* # Define SYSLOG_HISTORY */

# If defined (SYSLOG_HISTORY)
# Define SYSLOG_FACILITY LOG_LOCAL1
# Define SYSLOG_LEVEL LOG_DEBUG
# Endif

4. modify code snippet 2

# Vim bashhist. c

# Find the program segment starting with line 1

701 void
702 bash_syslog_history (line)
703 const char * line;
704 {
705 char trunc [SYSLOG_MAXLEN];
706
707 if (strlen (line) <SYSLOG_MAXLEN)
708 SYSLOG_FACILITY | SYSLOG_LEVEL, "HISTORY: PID = % d UID = % d % s", getpid (), current_user.uid, line );
709 else
710 {
711 strncpy (trunc, line, SYSLOG_MAXLEN );
712 trunc [SYSLOG_MAXLEN-1] = '\ 0 ';
713 syslog (SYSLOG_FACILITY | SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID = % d UID = % d % s", getpid (), current_user.uid, trunc );
714}
715}
716 # endif

Modify to the following content:

Void
Bash_syslog_history (line)
Const char * line;
{
Char trunc [SYSLOG_MAXLEN];

If (strlen (line) <SYSLOG_MAXLEN)
Syslog (SYSLOG_FACILITY | SYSLOG_LEVEL, "HISTORY: PPID = % d PID = % d SID = % d UID = % d User = % s", getppid (), getpid (), getsid (getpid (), current_user.uid, current_user.user_name, line );
Else
{
Strncpy (trunc, line, SYSLOG_MAXLEN );
Trunc [SYSLOG_MAXLEN-1] = '\ 0 ';
Syslog (SYSLOG_FACILITY | SYSLOG_LEVEL, "HISTORY (TRUNCATED): PPID = % d PID = % d SID = % d UID = % d User = % s", getppid (), getpid (), getsid (getpid (), current_user.uid, current_user.user_name, trunc );
}
}

5. Compare and modify the code

[Root @ localhost SOURCES] # diff-Npru bash-4.1-orig bash-4.1> bash_history_syslog.patch

# Cd ~ /Rpmbuild/SPECS/

# Vim bash. spec
# Add two lines of content in the following format. Save and exit.

Patch119: bash_history_syslog.patch

...
% Patch119-p1-B. history_syslog
...

6. Start Compilation

[Root @ localhost SPECS] # rpmbuild-ba bash. spec
Error: Failed build dependencies:
Texinfo is needed by bash-4.1.2-15.el6.x86_64

Open another window to install the texinfo package.

[Root @ localhost SPECS] # rpmbuild-ba bash. spec
[Root @ localhost SPECS] # cd ~ /Rpmbuild/RPMS/x86_64/

7. Install the bash rpm installation package

[Root @ localhost ~] # Cd ~ /Rpmbuild/RPMS/x86_64/
[Root @ localhost x86_64] # ls
Bash-4.1.2-15.el6.x86_64.rpm bash-debuginfo-4.1.2-15.el6.x86_64.rpm bash-doc-4.1.2-15.el6.x86_64.rpm
[Root @ localhost x86_64] #
[Root @ localhost x86_64] # rpm-Uvh -- force bash-4.1.2-15.el6.x86_64.rpm
Preparing... ######################################## ### [100%]
1: bash ####################################### #### [100%]
[Root @ localhost x86_64] #

8. Configure rsyslog Log Service

[Root @ localhost x86_64] # vi/etc/rsyslog. conf

# Add the following content:
Local1.debug/var/log/bash


[Root @ localhost x86_64] # service rsyslog restart
Disable the system logger: [OK]
Start the system logger: [OK]

9. view the log records and successfully store user operation logs. the logs are stored separately from history logs. Only the root permission can be used to operate the log files. If the log server is configured, the operation logs are transmitted to the remote server.

[Root @ localhost ~] # Tail-f/var/log/bash
Apr 13 00:47:11 localhost bash: HISTORY: PPID = 2471 PID = 2473 SID = 2473 UID = 0 User = root ifconfig
Apr 13 00:47:12 localhost bash: HISTORY: PPID = 2471 PID = 2473 SID = 2473 UID = 0 User = root ls
Apr 13 00:47:13 localhost bash: HISTORY: PPID = 2471 PID = 2473 SID = 2473 UID = 0 User = root df-h
Apr 13 00:47:15 localhost bash: HISTORY: PPID = 2471 PID = 2473 SID = 2473 UID = 0 User = root history
Apr 13 00:47:24 localhost bash: HISTORY: PPID = 2471 PID = 2473 SID = 2473 UID = 0 User = root cat/var/log/bash
Apr 13 01:19:47 localhost bash: HISTORY: PPID = 26139 PID = 26141 SID = 26141 UID = 0 User = root cat/var/log/bash
Apr 13 01:19:57 localhost bash: HISTORY: PPID = 26139 PID = 26141 SID = 26141 UID = 0 User = root ifconfig
Apr 13 01:21:07 localhost-bash: HISTORY: PPID = 26157 PID = 26159 SID = 26159 UID = 0 User = root ifconfig
Apr 13 01:21:17 localhost-bash: HISTORY: PPID = 26157 PID = 26159 SID = 26159 UID = 0 User = root w
Apr 13 01:21:20 localhost-bash: HISTORY: PPID = 26157 PID = 26159 SID = 26159 UID = 0 User = root df-h
Apr 13 01:21:33 localhost-bash: HISTORY: PPID = 26157 PID = 26159 SID = 26159 UID = 0 User = root useradd abc
Apr 13 01:21:38 localhost-bash: HISTORY: PPID = 26157 PID = 26159 SID = 26159 UID = 0 User = root passwd abc
Apr 13 01:21:42 localhost-bash: HISTORY: PPID = 26157 PID = 26159 SID = 26159 UID = 0 User = root su-abc
Apr 13 01:21:44 localhost-bash: HISTORY: PPID = 26192 PID = 26193 SID = 26159 UID = 500 User = abc exit

Ii. rsyslog log server configuration

1. Log Server Configuration

# Vi/etc/rsyslog. conf

Uncomment the following four lines

$ ModLoad imudp
$ UDPServerRun 514
$ ModLoad imtcp
$ Inputtcpserverexecute 514

In #### GLOBAL direves ves ####, add the following content:

$ Template IpTemplate, "/var/log/% FROMHOST-IP %. log"
*.*? IpTemplate
&~

Note: The Client IP address is used to name remote logs.

Then restart the rsyslogd service.

# Service rsyslog restart


2. Log client Configuration

# Vi/etc/rsyslog. conf

Local1.debug @ 192.168.0.66

# Restart the rsyslogd Service

# Service rsyslog restart


3. Check the result and you can receive the result.

[Root @ testdb log] # cd/var/log
[Root @ testdb log] # ll
908
-Rw ------- 1 root 1718 412 127.0.0.1.log
-Rw ------- 1 root 272 412 192.168.0.65.log
-Rw ------- 1 root 3754 412 66_history_bash
-Rw -------. 1 root 2368 109 anaconda. ifcfg. log
-Rw -------. 1 root 29331 109 anaconda. log

[Root @ testdb log] # tail-f 192.168.0.65.log
Apr 13 17:41:13 localhost-bash: HISTORY: PPID = 2166 PID = 2168 SID = 2168 UID = 0 User = root 192.168
Apr 13 17:42:40 localhost-bash: HISTORY: PPID = 2166 PID = 2168 SID = 2168 UID = 0 User = root sss
Apr 13 17:43:38 localhost-bash: HISTORY: PPID = 2166 PID = 2168 SID = 2168 UID = 0 User = root s
Apr 13 17:52:27 localhost-bash: HISTORY: PPID = 2166 PID = 2168 SID = 2168 UID = 0 User = root ifconfig
Apr 13 17:52:27 localhost-bash: HISTORY: PPID = 2166 PID = 2168 SID = 2168 UID = 0 User = root w

-------------------------------------- Split line --------------------------------------

Configure the rsyslog client on CentOS to remotely record logs.

Deploy a log server using Rsyslog + LogAnalyzer + MySQL in CentOS 6.3

Log servers using rsyslog mysql and logAnalyzer

Rsyslog configuration and usage tutorial

RHEL5.4 deployment of central log server rsyslog + loganalyzer

-------------------------------------- Split line --------------------------------------

Rsyslog details: click here
Rsyslog: click here

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.