LINUX operations are logged to syslog and sent to the Syslog server

First, the configuration commands are logged to the syslog:

Under/ETC/BASHRC of the client, add:

Logger-p local3.info \ "' Who am I ' ======================================= is login \"

Export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger-p Local3.info \[$ (Who am I) \]\# \ "${msg}" \ "; }‘

Logger command:

For the Syslog Shell Interface command, there are some parameters that are used here with-p, mainly to let it record the log type and level. For specific use, please man a bit

I don't know if you think about it. Append the command directly to the log file, this is also possible, but there are two problems, the file is only stored on the machine, can be artificially deleted,

So the syslog can not pass the record, or is not safe, this is to cooperate with the log server records, to achieve security. You can also do surveillance alarms.

Architecture is: syslog-ng Swatch

Re-configure the output of the log:

The above has put the log into the syslog of the system, now the purpose of storing the log to where the problem, the above configuration by default is to/var/log/message,

Let me change the following:

1: Local Storage:

Modify/etc/syslog.conf # If it is CentsOS6 or later, modify/etc/rsyslog.conf

Join

Local7.info/var/log/user_command.log

The above is to specify that LOCAL7 this type of info level log input into the/var/log/user_command.log, of course, also need to configure rollback problems (not mentioned here), which can also be used to match the *. I don't have to tell you this.

You can also upload the log to another place, this time this is configured, add:

Local7.info @log. server.com

The following is an example of the output result:

Nov 7 15:31:11 x.x.x.x root: [Root pts/0 2013-03-18 10:44 (10.57.41.86)]# SOURCE/ETC/BASHRC

Nov 7 15:31:20 x.x.x.x root: [Root pts/0 2013-03-18 10:44 (10.57.41.86)]# SOURCE/ETC/BASHRC

Nov 7 15:31:20 x.x.x.x root: [Root pts/0 2013-03-18 10:44 (10.57.41.86)]# Echo poll

Explanation: Because the client and the service side of the time is not the same, so here to see two different time, this is a good reference, or keep it,

What can be seen here are: Target IP, target user, target time, target login IP, command executed

LINUX operations are logged to syslog and sent to the Syslog server