In this post I will
show how to record all the users activity i.e. shell commands that are executed
and will send that logs to the centralized log server.
In
this demo I have a couple of CentOS 6.3 x86_64 machines with minimal
installation.
1) Rsyslog is installed by default on CentOS machines,
incase its not installed, install the Rsyslog package on both Client and
Server.
[root@server
~]# yum install rsyslog -y
[root@client ~]# yum install rsyslog
-y
2) Edit the
/etc/bashrc to record the shell commands that are executed
[root@client ~]# vim /etc/bashrc
Add this line to
the end of file
remoteip=$(who am i | awk '{print $5}' | sed "s/[()]//g"
)
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local3.debug "$(whoami) $remoteip [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" )
[$RETRN_VAL]"'
3)
Configure the Rsyslog server to capture the local3 to a log
file
[root@client ~]# vim /etc/rsyslog.conf
local3.* /var/log/user-activity.log
4)
Restart the Rsyslog server
[root@client ~]# service rsyslog
restart
5) Log off and log back in to check the result in the
file /var/log/user-activity.log
[root@client
~]# cat /var/log/user-activity.log
Oct 7 00:18:20 ad root: root 192.168.124.1 [4927]: service postfix stautus [2]
Oct 7
00:18:25 ad root: root 192.168.124.1 [4927]: service postfix
status [0]
Oct 7 00:19:10 ad root: root 192.168.124.1 [4991]: exit [0]
Oct 7 00:19:16 ad root: root 192.168.124.1 [4991]: service postfix status [0]
Oct 7 00:19:23 ad root: root 192.168.124.1 [4991]: service sendmail status [1]
Oct 7 00:20:05
ad root: root 192.168.124.1 [4991]: date [0]
Oct 7 00:20:06
ad root: root 192.168.124.1 [4991]: pwd [0]
Oct 7 00:20:10
ad root: root 192.168.124.1 [4991]: history [0]
Oct 7
00:20:15 ad root: root 192.168.124.1 [4991]: service named status
[0]
Oct 7 00:20:21 ad root: root 192.168.124.1 [4991]:
service named restart [0]
Oct 7 00:20:49 ad root: root 192.168.124.1 [4991]: cp -v /home/ahmed/* /root [0]
Oct 7
00:21:03 ad root: root 192.168.124.1 [4991]: ll [0]
Oct 7
00:21:16 ad root: root 192.168.124.1 [4991]: cat su [0]
Oct 7 00:21:31 ad root: ahmed 192.168.124.1 [5135]: exit [0]
Oct 7 00:21:32 ad root: ahmed 192.168.124.1 [5135]: redhat
[127]
Oct 7 00:21:35 ad root: ahmed 192.168.124.1 [5135]:
who am i [0]
Oct 7 00:21:38 ad root: ahmed 192.168.124.1 [5135]: ls [0]
Oct 7 00:21:46 ad root: ahmed 192.168.124.1 [5135]: rm * [0]
Oct 7 00:21:49 ad root: root 192.168.124.1 [4991]: su - ahmed
[0]
6)
To Centralize the logs do the following on the centralized Rsyslog
server
[root@server
~]# vim /etc/rsyslog.conf
Uncomment the below lines
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
[root@server
~]# vim /etc/rsyslog.d/remotesrv.conf
if $hostname contains 'client' then
/var/log/servers/client.log
if $hostname contains 'client' then
~
7) Restart the server and configure iptables to
accept the rsyslog connections
[root@server
~]# service rsyslog restart
[root@server ~]# iptables -A INPUT -m state
--state NEW -m tcp -p tcp --dport 514 -j ACCEPT
[root@server ~]# iptables -A
INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
[root@server
~]# service iptables save
8)
On Client Side configure the following
[root@client
~]# vim /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
$AllowedSender UDP, 127.0.0.1, 192.168.124.0/24
$ModLoad imtcp
$InputTCPServerRun 514
$AllowedSender TCP, 127.0.0.1,
192.168.124.0/24
local3.* @@192.168.124.250:514
9) Restart the Rsyslog service on the client side as well
[root@client
~]# service rsyslog restart
10) Logoff and Log back in and run some commands
that will be recorded on the server at the defined location here it is
/var/log/servers/clients.log