命令记录收集记录-运维笔记

#用户命令收集记录
 
 
环境CentOS 7
yum install rsyslog -y
 
一,服务端
[root@server ]# cat /etc/rsyslog.conf|grep -v "#"|grep -v "^$"
# 开启udp
$ModLoad imudp
# 开启端口号
$UDPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# 根据远程主机目录并写入记录
$template Remote,"/data/logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
# 屏蔽本机命令记录
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
 
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
authpriv.* /var/log/secure
mail.err -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
*.info;mail.none;authpriv.none;cron.none;auth.none;local6.none; /var/log/messages
local0.* /var/log/keepalived.log
local6.info /var/log/.history.log
local4.* /var/log/history.log

```

 
二,客户端
[root@client ~]# cat /etc/rsyslog.conf|grep -v "#"|grep -v "^$"
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
authpriv.* /var/log/secure
mail.err -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
*.info;mail.none;authpriv.none;cron.none;auth.none;local6.none; /var/log/messages
local0.* /var/log/keepalived.log
local6.info /var/log/.history.log
# 最后增加
local5.* @172.16.58.21
 
# 客户端加入
# 客户端/etc/profile和/etc/bashrc都加入(SSH 登录默认为非shell登录方式,而非shell登录方式执行的是bashrc脚本初始化环境变量。而shell登录方式则是执行的是profile脚本初始化环境变量。)
export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'
 
 
vim /etc/profile
加在最后一行
审计
 
export HISTTIMEFORMAT="[%Y%m%d-%H%M-:%S]"
USER_IP=`who -u am i 2>/dev/null| awk '{print$NF}'|sed -e 's/[()]//g'`
HISTDIR=/var/log/.hist
if [ -z $USER_IP ];then
USER_IP=`hostname`
fi
if [ ! -d $HISTDIR ];then
mkdir -p $HISTDIR
chmod 777 $HISTDIR
fi
if [ ! -d "$HISTDIR/${LOGNAME}" ]
then
mkdir -p "$HISTDIR/${LOGNAME}"
chmod 300 "$HISTDIR/${LOGNAME}"
fi
export HISTSIZE=4096
DT=`date +%Y%m%d_%H%M%S`
export HISTFILE="$HISTDIR/${LOGNAME}/${USER_IP}.hist.$DT"
chmod 600 "$HISTDIR/${LOGNAME}/*.hist*" 2>/dev/null
 
 

posted on 2021-10-02 18:23  Colin88  阅读(45)  评论(0)    收藏  举报