Linux logs a detailed log of all user logins and actions

Source: Internet
Author: User

1, causes

Recently some files on the Linux server were tampered with, want to trace the records have not been found, so you have to think of a way to record all the user's Operation records.

Generally, we usually use history to record, but there is a flaw in the historical is the default is 1000 rows, of course, you can also vim/etc/profile 1000 to 1000000 lines, but this is a relatively general practice, No detailed user sources have been recorded, such as source IP address, operation time, operation user, etc.

So we have to write our own code to implement such a function.

2, automatic recording of scripts

Write the following script:

History

User= ' WhoAmI '

user_ip= ' who-u am I 2>/dev/null| awk ' {print $NF} ' |sed-e ' s/[()]//g "

If ["$USER _ip" = ""]; Then

User_ip= ' hostname '

Fi

if [!-d/var/log/history]; Then

Mkdir/var/log/history

chmod 777/var/log/history

Fi

if [!-d/var/log/history/${logname}]; Then

Mkdir/var/log/history/${logname}

chmod 300/var/log/history/${logname}

Fi

Export histsize=4096

dt= ' date + '%y%m%d_%h:%m:%s '

Export histfile= "/var/log/history/${logname}/${user}@${user_ip}_$dt"

chmod 600/var/log/history/${logname}/*history* 2>/dev/null

This script needs to be placed at the end of the/etc/profile file. Here the default is that the root directory of the log file is:/var/log/history, this directory needs to be initialized, and then through "exporthistfile="/var/log/history/${logname}/${user}@${user _ip}_$dt "

"You can see that the log path is/var/log/history/${logname}, so this directory also needs to be established beforehand, how many users, the number of directories to build, and the use of the directory to assign the user to the corresponding users."

And each time the user logs on to the exit will be generated by the user name, login IP address, operation time as a file name, the file contains all the user's action records.

3, creating an initialization directory

First go to/home to see how many users

[Email protected]_test_static1_11_35 history]# LL

Total 28

Drwxr-xr-x 2 adminuser adminuser 4096 Nov 21:53 Adminuser

Drwxr-xr-x 2 Fastdfs fastdfs 4096 Nov 21:53 Fastdfs

Drwxr-xr-x 2 loguser loguser 4096 Nov 19:43 LogUser

Drwxr-xr-x 2 nginx nginx 4096 20:54 Nginx

D-WX------2 root root 4096 Nov 21:53 root

Drwxr-xr-x 2 tomcat tomcat 4096 Nov 19:42 Tomcat

Drwxr-xr-x 2 Zabbix Zabbix 4096 Nov 19:42 Zabbix

[[Email protected]_test_static1_11_35 history]#

Then start building the initialization directory

[Email protected]_test_static1_11_35 log]# Mkdir/var/log/history/fastdfs

[Email protected]_test_static1_11_35 history]# chown Fastdfs:fastdfs fastdfs-r

[Email protected]_test_static1_11_35 log]# Mkdir/var/log/history/tomcat

[Email protected]_test_static1_11_35 log]# chown-r Tomcat:tomcat/var/log/history/tomcat

[Email protected]_test_static1_11_35 log]# Mkdir/var/log/history/zabbix

[Email protected]_test_static1_11_35 log]# chown-r Zabbix:zabbix/var/log/history/zabbix

[Email protected]_test_static1_11_35 log]# Mkdir/var/log/history/loguser

[Email protected]_test_static1_11_35 log]# chown-r Loguser:loguser/var/log/history/loguser

[Email protected]_test_static1_11_35 log]# Mkdir/var/log/history/adminuser

[Email protected]_test_static1_11_35 log]# chown-r Adminuser:adminuser/var/log/history/adminuser

4, user Login verification

Use one of the user Fastdfs logon process actions

[Email protected]_test_static1_11_35 ~]$ sudo-i

[sudo] password for adminuser:

[Email protected]_test_static1_11_35 ~]# Su-fastdfs

[Email protected]_test_static1_11_35 ~]$ CP Test1.log Test3.log

[Email protected]_test_static1_11_35 ~]$ echo "Test 1" > Test3.log

[[Email protected]_test_static1_11_35 ~]$ echo ' 1 ' >> test3.log

[[Email protected]_test_static1_11_35 ~]$ echo ' 2 ' >> test3.log

[[Email Protected]_test_static1_11_35 ~]$ echo ' 3 ' >> test3.log

[Email protected]_test_static1_11_35 ~]$ more Test3.log

Test 1

1

2

3

[[Email protected]_test_static1_11_35 ~]$

Then quit the user, log back in to log directory/var/log/history/fastdfs/to see the latest records, once the user logs on to the exit will be saved as a log file record:

# Go to log directory

[Email protected]_test_static1_11_35 fastdfs]# cd/var/log/history/fastdfs/

# view 2 operation Log Records

[Email protected]_test_static1_11_35 fastdfs]# LL

Total 8

-RW-------1 Fastdfs fastdfs 21:53 [email protected]_20161117_21:53:16

-RW-------1 Fastdfs fastdfs 139 Nov 21:59 [email protected]_20161117_21:56:47

# Open the current operation logging

[Email protected]_test_static1_11_35 fastdfs]# more [email protected]_20161117_21:56:47

CP Test1.log Test3.log

echo "Test 1" > Test3.log

echo "1" >> Test3.log

echo "2" >> Test3.log

echo "3" >> Test3.log

More Test3.log

Exit

[[Email protected]_test_static1_11_35 fastdfs]#

PS: You can see that the recorded logs are consistent with our actual operations. Prove that the function we want is fulfilled.

Reference article: http://www.heminjie.com/system/linux/412.html

Linux logs a detailed log of all user logins and actions

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.