[20130627] 利用rsyslog记录远程端用户操作记录

## 更改history格式

# vi /etc/profile.d/history.sh

HISTTIMEFORMAT='%F %T  '
HISTFILESIZE=10000
HISTSIZE=1000
HISTIGNORE='ls -l:pwd:date'
HISTCONTROL=ignoredups
export HISTTIMEFORMAT HISTFILESIZE HISTSIZE HISTIGNORE HISTCONTROL

# source  /etc/profile

1. 设置rsyslog信息的格式,主要是更改显示的日期

[root@localhost ~]# vi /etc/rsyslog.conf

# Use default timestamp format

#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template xsformat,"%$NOW% %TIMESTAMP:8:15% %FROMHOST% %syslogtag% %msg%\n"

$ActionFileDefaultTemplate xsformat

# 格式为

Jun 27 19:21:18 localhost sshd[1348]: pam_unix(sshd:session): session opened for user root by (uid=0)

Jun 27 19:21:34 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)

变为

2013-06-27 12:23:42 localhost sshd[1444]:  pam_unix(sshd:session): session closed for user nagios

2013-06-27 12:26:30 localhost sshd[1228]:  pam_unix(sshd:session): session closed for user root

## 服务器端

1. 打开udp端口514,接收远程来的日志

[root@localhost ~]# vi /etc/rsyslog.conf

# Provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514

2. 配置只接收local4这个设备的日志,并取消所有的日志都记录到/var/log/messages中;这样不会造成干扰

# 修改第一条,加入了local4.none ,这样就取消了local4接收到消息会传送到/var/log/messages

*.info;mail.none;authpriv.none;cron.none;local4.none                /var/log/messages

# 加入local4的所以级别消息存放在/var/log/command.log

local4.*                                               /var/log/command.log

3. 重启服务

[root@localhost ~]# /etc/init.d/rsyslog restart

## 客户端

1. 把local4设备的消息远程发送到192.168.100.39服务端

[root@localhost ~]# vim /etc/rsyslog.conf

*.info;mail.none;authpriv.none;cron.none;local4.none;local4.none                /var/log/messages

local4.*                                                     @192.168.100.39

2. 加入下面这条到/etc/bashrc. 就当所以用户登录系统时,都会继承这个环境设置

export PROMPT_COMMAND='{ msg=$(history 1 | { read a b c d; echo $d; }); ip=$(who am i | { read q w e r t;echo $t; });logger -p local4.info  "[euid=$(whoami):$ip]":[`pwd`]# "$msg"; }'

# source /etc/bashrc

# 测试

在客服端测试

[root@localhost etc]# echo "this msg to 192.168.100.39"

this msg to 192.168.100.39

# 服务端

[root@localhost ~]# tail -f /var/log/command.log

2013-06-27 15:56:51 192.168.100.33 root:  [euid=root:(192.168.100.88)]:[/usr/local/nagios/etc]# echo "this msg to 192.168.100.39"