history

junaid18183 · 06-13-2005, 05:24 PM

Hi to all,

Can any body give me some idea about how to track what are the activities done by the each user on particuler date.

Let me clear what I want

1] the

Code:

last

command displays a list of all
users logged in (and out) and other info like system start and shutdown.

Now using this info I come to know that on particuler day which user has logged on to the system.

2] Using this info I want ,what activities he/she has done on that day ?

.bash_history file in the home directory of each user gives a good info about which command he/she has run in the past but dont give any idea about the date.

any idea ?

Thanks

Tinkster · 06-13-2005, 06:36 PM

If you're using bash 3.x and have HISTTIMEFORMAT set
you would be able to get time-stamps. If your bash is a)
older or b) you didn't set it there's no way of finding out
what was done when.

Cheers,
Tink

junaid18183 · 06-13-2005, 06:44 PM

Quote:

If you're using bash 3.x and have HISTTIMEFORMAT set

How Could I check it.

rpm -q bash
bash-2.05a-13
gives me the version of bash

Tinkster · 06-13-2005, 06:49 PM

Well ... that's enough of a check, then. The older versions
of bash just didn't have the facility at all.

Cheers,
Tink

Artanicus · 06-13-2005, 06:52 PM

lemme just jump in here out of curiosity, I have bash over 3.0 and was wondering, what do I need to shove to the variable? Just 1, or the actual time format? Would the format be a 'date +%blaablaa' sequence, or what?

junaid18183 · 06-13-2005, 07:06 PM

Quote:

Well ... that's enough of a check, then

obviously,but if suppose it is greater than 3.x then how to check for the HISTTIMEFORMAT

I have checked the SHELLOPTS variable it does not have such things

Dont want to miss a learning new thing

Again from original question, is there any way in KDE or GNOME to find such ,

Because windows have such facilty ( history,recent files,temp files etc. though it can be deleted by any one, but if in place gives a good information for the above topic.)

Thanks

Tinkster · 06-13-2005, 07:26 PM

Quote:

Originally posted by Artanicus
lemme just jump in here out of curiosity, I have bash over 3.0 and was wondering, what do I need to shove to the variable? Just 1, or the actual time format? Would the format be a 'date +%blaablaa' sequence, or what?

Yep, it uses strftime strings ... a
man bash
/HISTTIMEFORMAT
would have answered that too, though ;}

Quote:

Originally posted by junaid18183
I have checked the SHELLOPTS variable it does not have such things

If you don't set it it's not there. If you want/need it, put
it in ~/.bashrc (~/.bash_logon) ...

Quote:

Originally posted by junaid18183
Because windows have such facilty ( history,recent files,temp files etc. though it can be deleted by any one, but if in place gives a good information for the above topic.)

find / -user <name> -ctime -<days-back> -ctime +<days-back-1>
should give you all files that are owned by that user and have been
modified <days-back> ago ...

Cheers,
Tink

mohammednv · 01-31-2008, 11:56 AM

Hmm..... I tried setting HISTTIMEFORMAT in .bashrc. But, didn't work as I expected.

If I set this in .bashrc, history always show time of user login, no matter when these commands are executed. I would like to get the actual time when user executed those commands.

--------------------------------------------------
[mohammed@41 ~]$ date
Thu Jan 31 21:11:37 IST 2008
[mohammed@41 ~]$ history | tail -2
1010 2008-Jan-31::21h:09m:52s date
1011 2008-Jan-31::21h:09m:52s history | tail -2
[mohammed@41 ~]$
[mohammed@41 ~]$ echo hello
hello
[mohammed@41 ~]$ echo hi
hi
[mohammed@41 ~]$ date
Thu Jan 31 21:12:01 IST 2008
[mohammed@41 ~]$ history | tail -6
1010 2008-Jan-31::21h:09m:52s date
1011 2008-Jan-31::21h:09m:52s history | tail -2
1012 2008-Jan-31::21h:09m:52s echo hello
1013 2008-Jan-31::21h:09m:52s echo hi
1014 2008-Jan-31::21h:09m:52s date
1015 2008-Jan-31::21h:09m:52s history | tail -6
--------------------------------------------------

Depending on default history setting is not always good. Commands you executed in the present console will be written to your history file (.bash_history by default) only when logout from that console. (Even though 'history' command will show you all commands you executed, it will be written to the file only when you logout). And I think, it wont be written if you just close the session or you are timed out from the session.

Also, what if you are logged into the same machine as same user from different consoles. How the commands will be written into the .bash_history file. I haven't checked this, but you can test it very easily.

So, what I am trying to do is, execute "history -a newhistfile" frequently within a script. This should write all commands executed in the present console to newhistfile. Unfortunately, this command is not working when I kept this in a script.

In short, what I want is to log all activities by every users.

Any ideas??. And any other way to do this??.

Regards,
Mohammed.

unSpawn · 02-02-2008, 09:07 AM

Quote:

Originally Posted by mohammednv

Hmm..... I tried setting HISTTIMEFORMAT in .bashrc. But, didn't work as I expected.

It's strftime, so 'export HISTTIMEFORMAT='%Y-%b-%d::%Hh:%Mm:%Ss '' should do.

Quote:

Originally Posted by mohammednv

In short, what I want is to log all activities by every users.

Would have cost you only one post if you stated that in your OP.
You'll want to use a wrapper like Rootsh.
FWIW: install, test it, *then* ask.

mohammednv · 02-02-2008, 10:10 AM

Thanks for your reply.

I am trying rootsh now.

BTW, could you please help me with this?.

The command "history -a testhist" will write all commands executed within present console to the file testhist. But, it is not working when I try it as a script. I also tried like "eval `history -a testhist`" and
"exec `history -a testhist`"......but no luck

.

I think it's because, there is no binary associated with history and so it's not a recognized command. Actually, I don't how history works. Sometimes, answer to this questions may resolve everything

If it works, I can run the script periodically by inserting a timestamp.

Any ideas??.

Regards,
Mohammed.

unSpawn · 02-02-2008, 02:18 PM

Quote:

Originally Posted by mohammednv

Actually, I don't how history works. Sometimes, answer to this questions may resolve everything

The history list is only active during interactive shells. So, onto Rootsh I'd say.

mohammednv · 02-10-2008, 01:45 AM

Hi,

At last I got 'history -a' command working within a script.

Here is what I did:

echo 'history -a .local_`date +%Y%b%d`' > hist
then added "source hist" into .bash_logout and that worked !!!.

Also, if you want to bring all these logfiles under root's ownership:
1. Either set a crontab under root to copy logfiles from all users.
2. Or write a setuid program which copies these logfiles into a file under root's ownership. Then run this at bash_logout.

Thanks,
Mohammed.

varu0612 · 03-17-2009, 10:42 AM

Quote:

Originally Posted by mohammednv

Hmm..... I tried setting HISTTIMEFORMAT in .bashrc. But, didn't work as I expected.

If I set this in .bashrc, history always show time of user login, no matter when these commands are executed. I would like to get the actual time when user executed those commands.

--------------------------------------------------
[mohammed@41 ~]$ date
Thu Jan 31 21:11:37 IST 2008
[mohammed@41 ~]$ history | tail -2
1010 2008-Jan-31::21h:09m:52s date
1011 2008-Jan-31::21h:09m:52s history | tail -2
[mohammed@41 ~]$
[mohammed@41 ~]$ echo hello
hello
[mohammed@41 ~]$ echo hi
hi
[mohammed@41 ~]$ date
Thu Jan 31 21:12:01 IST 2008
[mohammed@41 ~]$ history | tail -6
1010 2008-Jan-31::21h:09m:52s date
1011 2008-Jan-31::21h:09m:52s history | tail -2
1012 2008-Jan-31::21h:09m:52s echo hello
1013 2008-Jan-31::21h:09m:52s echo hi
1014 2008-Jan-31::21h:09m:52s date
1015 2008-Jan-31::21h:09m:52s history | tail -6
--------------------------------------------------

Depending on default history setting is not always good. Commands you executed in the present console will be written to your history file (.bash_history by default) only when logout from that console. (Even though 'history' command will show you all commands you executed, it will be written to the file only when you logout). And I think, it wont be written if you just close the session or you are timed out from the session.

Also, what if you are logged into the same machine as same user from different consoles. How the commands will be written into the .bash_history file. I haven't checked this, but you can test it very easily.

So, what I am trying to do is, execute "history -a newhistfile" frequently within a script. This should write all commands executed in the present console to newhistfile. Unfortunately, this command is not working when I kept this in a script.

In short, what I want is to log all activities by every users.

Any ideas??. And any other way to do this??.

Regards,
Mohammed.

Hi,

Do you have any idea how i can get the real time when the command has been executed and not the logout time ?

Thanks!

mohammednv · 11-07-2009, 02:03 AM

Yes, you can add this line to your bashrc or profile file.

HISTTIMEFORMAT="%h-%d-%Y - %H:%M:%S "

~mohammed

catkin · 11-07-2009, 08:01 AM

But shell history is a user convenience, not an audit tool. As mohammednv mentioned there are ways that a user can do things and not have them appear in the history file (there are other ways, too). Especially if you are trying to detect malfeasance by a competent user, shell history is useless.