Monitor & Record all Shell Commands & Send Logs to Centralized RSyslog Server

In this post I will show how to record all the users activity i.e. shell commands that are executed and will send that logs to the centralized log server.

In this demo I have a couple of CentOS 6.3 x86_64 machines with minimal installation.

1) Rsyslog is installed by default on CentOS machines, incase its not installed, install the Rsyslog package on both Client and Server.
[root@server ~]# yum install rsyslog -y
[root@client ~]# yum install rsyslog -y 
 
2) Edit the /etc/bashrc to record the shell commands that are executed
[root@client ~]# vim /etc/bashrc
Add this line to the end of file
remoteip=$(who am i | awk '{print $5}' | sed "s/[()]//g" )
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local3.debug "$(whoami)  $remoteip  [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"' 

3) Configure the Rsyslog server to capture the local3 to a log file
[root@client ~]# vim /etc/rsyslog.conf
local3.*                /var/log/user-activity.log

4) Restart the Rsyslog server
[root@client ~]# service rsyslog restart

5) Log off and log back in to check the result in the file /var/log/user-activity.log
[root@client ~]# cat /var/log/user-activity.log
Oct  7 00:18:20 ad root: root  192.168.124.1   [4927]: service postfix stautus [2]
Oct  7 00:18:25 ad root: root  192.168.124.1   [4927]: service postfix status [0]
Oct  7 00:19:10 ad root: root  192.168.124.1  [4991]: exit [0]
Oct  7 00:19:16 ad root: root  192.168.124.1  [4991]: service postfix status [0]
Oct  7 00:19:23 ad root: root  192.168.124.1  [4991]: service sendmail status [1]
Oct  7 00:20:05 ad root: root  192.168.124.1  [4991]: date [0]
Oct  7 00:20:06 ad root: root  192.168.124.1  [4991]: pwd [0]
Oct  7 00:20:10 ad root: root  192.168.124.1  [4991]: history  [0]
Oct  7 00:20:15 ad root: root  192.168.124.1  [4991]: service named status [0]
Oct  7 00:20:21 ad root: root  192.168.124.1  [4991]: service named restart [0]
Oct  7 00:20:49 ad root: root  192.168.124.1  [4991]: cp -v /home/ahmed/* /root [0]
Oct  7 00:21:03 ad root: root  192.168.124.1  [4991]: ll [0]
Oct  7 00:21:16 ad root: root  192.168.124.1  [4991]: cat su [0]
Oct  7 00:21:31 ad root: ahmed  192.168.124.1  [5135]: exit [0]
Oct  7 00:21:32 ad root: ahmed  192.168.124.1  [5135]: redhat [127]
Oct  7 00:21:35 ad root: ahmed  192.168.124.1  [5135]: who am i [0]
Oct  7 00:21:38 ad root: ahmed  192.168.124.1  [5135]: ls [0]
Oct  7 00:21:46 ad root: ahmed  192.168.124.1  [5135]: rm * [0]
Oct  7 00:21:49 ad root: root  192.168.124.1  [4991]: su - ahmed [0]

6) To Centralize the logs do the following on the centralized Rsyslog server
[root@server ~]# vim /etc/rsyslog.conf
Uncomment the below lines
$ModLoad imudp
$UDPServerRun 514

$ModLoad imtcp
$InputTCPServerRun 514

[root@server ~]# vim /etc/rsyslog.d/remotesrv.conf
if $hostname contains 'client' then /var/log/servers/client.log
if $hostname contains 'client' then ~

7) Restart the server and configure iptables to accept the rsyslog connections
[root@server ~]# service rsyslog restart
[root@server ~]# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
[root@server ~]# iptables -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
[root@server ~]# service iptables save

8) On Client Side configure the following
[root@client ~]# vim /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
$AllowedSender UDP, 127.0.0.1, 192.168.124.0/24

$ModLoad imtcp
$InputTCPServerRun 514
$AllowedSender TCP, 127.0.0.1, 192.168.124.0/24

local3.*        @@192.168.124.250:514

9) Restart the Rsyslog service on the client side as well
[root@client ~]# service rsyslog restart

10) Logoff and Log back in and run some commands that will be recorded on the server at the defined location here it is /var/log/servers/clients.log