Syslog-ng+rsyslog Collect logs: Collect SSH user commands (iv)

There are times when you need to use a bastion machine, but know that the user has used those commands.

The name of the Rsyslog property that begins with $ is a variable obtained from the local system, and does not take a variable from the message

First, configure the system variables to record the SSH command, and generate files, location/var/log/ssh.log.

#vi/etc/profile.d/ssh.sh//Create a file ssh.sh script to store variables

Export History_file=/var/log/ssh.logexport prompt_command= ' {date ' +%y-%m-%d%T ##### $ (Who am I |awk "{print \$1\" \ "\$2\ "\" \$5} "# # # # (History 1 | {read x cmd; echo "$cmd";}) ";} >> $HISTORY _file ' # # # #

After creating the file, take effect.

#source/etc/profile.d/ssh.sh

After the above configuration is successful, you can view the/var/log/ssh.log file to display.

#tail-F/var/log/ssh.log#####

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7F/2F/wKiom1cV7wzSVJEdAAA6g2pKYTY555.jpg "title=" Syslog-ng+rsyslog Collection Log -1.jpg "alt=" Wkiom1cv7wzsvjedaaa6g2pkyty555.jpg "/>

Note: If you want to generate files by time, you can modify the Ssh.log in ssh.sh to ' date ' +%f '. Log this will be saved by the day, if it takes time please check Linux short format modification .

Export history_file=/var/log/ssh-' date ' +%f '. Log//Note date is also enclosed in quotation marks.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/7F/30/wKiom1cV8_2hoLeRAAAhprnMMsU649.jpg "title=" Syslog-ng+rsyslog Collection Log -2.jpg "alt=" Wkiom1cv8_2holeraaahprnmmsu649.jpg "/>

Second, add Rsyslog module upload

Vi/etc/rsyslog.d/ssh-log.conf

# rsyslog v5 configuration file# for more information see /usr/ share/doc/rsyslog-*/rsyslog_conf.html# if you experience problems, see http:// www.rsyslog.com/doc/troubleshoot.html#### modules #######  Note that the  ### #配置文件中的中文注释为方便初学者, and unofficially provided, Chinese comments can cause strange problems. #建议: Delete all the Chinese comments in use, if you want comments can be in English (not really pinyin) #装载imfile模块 $ModLoad  imfile# Check the log file interval (in seconds) $InputFilePollInterval  1# Specifies that the owner of the log file $fileowner root#  use the custom format $actionfiledefaulttemplate myformat# state file to save the path, Files are used to record information such as scan log location. #在测试中服务器收集不到日志, because the scanned document is not uploaded again, you can empty the directory cache $workdirectory /var/spool/rsyslog#  define the queue file name #$ actionqueuefilename relpact#  Retry count, -1  means infinite retry  # $ActionResumeRetryCount  -1#  Rsyslog the queue contents to disk when closed, preventing data loss  # $ActionQueueSaveOnShutdown  on$privdroptogroup root# #日志格式模板: $template  biglogformattomcat, "%msg%\n" ## tomcat catalina.out path, modified according to the actual situation: #读取日志文件 $InputFileName  /var/log/ ssh.log# Write log additional label signatureString $inputfiletag ssh-log# log type, LOCAL5 must be the same as the LOCAL5 name in the filter facility (LOCAL5) in the Log collection server. $InputFileFacility  local5  #定义记录偏移量数据文件名 $InputFileStateFile  stat-ssh-log# log Level $inputfileseverity  info# write-back offset data to file interval (seconds) $InputFilePersistStateInterval  1# Active read, you can set up multiple sets of log reads, set this parameter at the end of each group. To take effect. $InputRunFileMonitor # When submitting logs to a different server, specify the server Ip:port here separately, #如都提交在同一服务器只需在rsyslog. conf specify one time to # local5.*  @ @192.168.1.251:514

Restart Rsyslog service in effect

#service Rsyslog Restart

Appendix: Linux Naming short format reference

%%     a literal %%a     locale ' s abbreviated  weekday name  (E.g., sun)%a     locale ' S full weekday  name  (e.g., sunday)%b     locale ' s abbreviated month  name  (E.g., jan)%b     locale ' s full month name  (e.g.,  january)%c     locale ' s date and time  (e.g., Thu  mar  3 23:05:25 2005)%c     century; like %y,  except omit last two digits  (e.g., 20)%d     day  of month  (e.g, 01)%d     date; same as %m/%d/%y%e      day of month, space padded; same as %_d%F       full date; same as %y-%m-%d%g     last two digits  of year of ISO week number  (see %g)%g      year of iso week number  (see %v);  normally useful only with  %V%h     same as %b%H     hour  (00..23) %i     hour  (01..12)%j     day of year  ( 001..366)%k     hour  ( 0..23)%l     hour  (  1..12)%m     month  (01..12)%m     minute  ( 00..59)%n     a newline%n     nanoseconds  ( 000000000..999999999)%p     locale ' s equivalent of either am  or pm; blank if not known%p     like %p, but lower case%r      locale ' s 12-hour clock time  (E.G., 11:11:04 PM)

Reference article:

Http://www.cnblogs.com/mchina/p/linux-centos-rsyslog-loganalyzer-mysql-log-server.html

http://blog.163.com/ly_89/blog/static/1869022992011756434459/

Http://jingyan.baidu.com/article/f25ef25466bffc482c1b82b6.html

This article is from the "Enlightened Grocery store" blog, please be sure to keep this source http://wutou.blog.51cto.com/615096/1765451

Syslog-ng+rsyslog Collect logs: Collect SSH user commands (iv)