history linux 日志服务器_编译bash实现history的syslog日志记录
一、編譯BASH實(shí)現(xiàn)bash的syslog日志記錄功能
1. 本文將通過(guò)bash軟件實(shí)現(xiàn)history記錄到syslog日志的功能,并通過(guò)該方式可以實(shí)現(xiàn)實(shí)時(shí)的傳送到了遠(yuǎn)端的日志集中服務(wù)器上,可以實(shí)現(xiàn)操作目志的審計(jì)功能。
操作系統(tǒng)版本 : CentOS 6.5 x64
2. 安裝6.5對(duì)應(yīng)bash源碼包
#安裝報(bào)警告可以忽略。
warning: bash-4.1.2-15.el6_4.src.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
...
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
warning: group mockbuild does not exist - using root
warning: user mockbuild does not exist - using root
[root@localhost soft]#
安裝完成后,會(huì)在當(dāng)前用戶主目錄下創(chuàng)建如下目錄結(jié)構(gòu)。
[root@localhost ~]# pwd
/root
# ls
anaconda-ks.cfg? bash-4.1.2-15.el6_4.src.rpm? install.log? install.log.syslog? rpmbuild? 公共的? 模板? 視頻? 圖片? 文檔? 下載? 音樂(lè)? 桌面
[root@localhost ~]# tree rpmbuild/
rpmbuild/
├── SOURCES
│?? ├── bash-2.02-security.patch
│?? ├── bash-2.03-paths.patch
│?? ├── bash-2.03-profile.patch
│?? ├── bash-2.05a-interpreter.patch
│?? ├── bash-2.05b-debuginfo.patch
│?? ├── bash-2.05b-manso.patch
│?? ├── bash-2.05b-pgrp_sync.patch
│?? ├── bash-2.05b-readline-oom.patch
│?? ├── bash-2.05b-xcc.patch
│?? ├── bash-3.2-audit.patch
│?? ├── bash-3.2-ssh_source_bash.patch
│?? ├── bash-4.0-nobits.patch
│?? ├── bash41-001
│?? ├── bash41-002
│?? ├── bash-4.1-bind_int_variable.patch
│?? ├── bash-4.1-broken_pipe.patch
│?? ├── bash-4.1-defer-sigchld-trap.patch
│?? ├── bash-4.1-examples.patch
│?? ├── bash-4.1-logout.patch
│?? ├── bash-4.1-manpage.patch
│?? ├── bash-4.1-manpage_trap.patch
│?? ├── bash-4.1-signal.patch
│?? ├── bash-4.1.tar.gz
│?? ├── bash-4.1-trap.patch
│?? ├── bash-bashbug.patch
│?? ├── bash-infotags.patch
│?? ├── bash-requires.patch
│?? ├── bash-setlocale.patch
│?? ├── bash-tty-tests.patch
│?? ├── dot-bash_logout
│?? ├── dot-bash_profile
│?? └── dot-bashrc
└── SPECS
└── bash.spec
2 directories, 33 files
2. 進(jìn)入目錄中,解決bash-4.1源碼包目錄
[root@localhost ~]# cd /root/rpmbuild/SOURCES/
[root@localhost SOURCES]# tar zxvf bash-4.1.tar.gz
[root@localhost SOURCES]# cp -a bash-4.1 bash-4.1-orig
[root@localhost SOURCES]#
[root@localhost SOURCES]# cd bash-4.1
[root@localhost bash-4.1]#
3. 修改代碼段一
# vim config-top.h
#取消104行的注釋,并將下面代碼修改為如下內(nèi)容,默認(rèn)情況下日志記錄在/var/log/message文件中,這調(diào)整為local1.debug指定的文件中。
/* #define SYSLOG_HISTORY */
#if defined (SYSLOG_HISTORY)
# define SYSLOG_FACILITY LOG_LOCAL1
# define SYSLOG_LEVEL LOG_DEBUG
#endif
4. 修改代碼段二
# vim bashhist.c
#找到701行開(kāi)始的程序段
701 void
702 bash_syslog_history (line)
703????? const char *line;
704 {
705?? char trunc[SYSLOG_MAXLEN];
706
707?? if (strlen(line) < SYSLOG_MAXLEN)
708???? syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d UID=%d %s", getpid(), current_user.uid, line);
709?? else
710???? {
711?????? strncpy (trunc, line, SYSLOG_MAXLEN);
712?????? trunc[SYSLOG_MAXLEN - 1] = '\0';
713?????? syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d UID=%d %s", getpid(), current_user.uid, trunc);
714???? }
715 }
716 #endif
修改為如下內(nèi)容:
void
bash_syslog_history (line)
const char *line;
{
char trunc[SYSLOG_MAXLEN];
if (strlen(line) < SYSLOG_MAXLEN)
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PPID=%d PID=%d SID=%d UID=%d User=%s %s", getppid(), getpid(), getsid(getpid()), current_user.uid, current_user.user_name, line);
else
{
strncpy (trunc, line, SYSLOG_MAXLEN);
trunc[SYSLOG_MAXLEN - 1] = '\0';
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PPID=%d PID=%d SID=%d UID=%d User=%s %s", getppid(), getpid(), getsid(getpid()), current_user.uid, current_user.user_name, trunc);
}
}
5. 對(duì)比修改代碼
[root@localhost SOURCES]# diff -Npru bash-4.1-orig bash-4.1 > bash_history_syslog.patch
# cd ~/rpmbuild/SPECS/
# vim bash.spec
#加入兩行內(nèi)容,按如下格式如下,保存退出。
Patch119: bash_history_syslog.patch
…
%patch119 -p1 -b .history_syslog
…
6. 開(kāi)始編譯
[root@localhost SPECS]# rpmbuild -ba bash.spec
error: Failed build dependencies:
texinfo is needed by bash-4.1.2-15.el6.x86_64
再開(kāi)一個(gè)窗口安裝texinfo軟件包。
[root@localhost SPECS]# rpmbuild -ba bash.spec
[root@localhost SPECS]# cd? ~/rpmbuild/RPMS/x86_64/
7. 安裝bash rpm安裝包
[root@localhost ~]# cd? ~/rpmbuild/RPMS/x86_64/
[root@localhost x86_64]# ls
bash-4.1.2-15.el6.x86_64.rpm? bash-debuginfo-4.1.2-15.el6.x86_64.rpm? bash-doc-4.1.2-15.el6.x86_64.rpm
[root@localhost x86_64]#
[root@localhost x86_64]# rpm -Uvh --force bash-4.1.2-15.el6.x86_64.rpm
Preparing...??????????????? ########################################### [100%]
1:bash?????????????????? ########################################### [100%]
[root@localhost x86_64]#
8. 配置rsyslog日志服務(wù)
[root@localhost x86_64]# vi /etc/rsyslog.conf
#加入如下內(nèi)容:
local1.debug?? /var/log/bash
[root@localhost x86_64]# service rsyslog restart
關(guān)閉系統(tǒng)日志記錄器:?????????????????????????????????????? [確定]
啟動(dòng)系統(tǒng)日志記錄器:?????????????????????????????????????? [確定]
9. 查看日志記錄,成功存儲(chǔ)用戶操作日志,與history日志分開(kāi)存儲(chǔ),并且只有root權(quán)限可以操作該日志文件,如果配置日志服務(wù)器,操作日志將傳送到遠(yuǎn)程服務(wù)器。
[root@localhost ~]# tail -f /var/log/bash
Apr 13 00:47:11 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root ifconfig
Apr 13 00:47:12 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root ls
Apr 13 00:47:13 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root df -h
Apr 13 00:47:15 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root history
Apr 13 00:47:24 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root cat /var/log/bash
Apr 13 01:19:47 localhost bash: HISTORY: PPID=26139 PID=26141 SID=26141 UID=0 User=root cat /var/log/bash
Apr 13 01:19:57 localhost bash: HISTORY: PPID=26139 PID=26141 SID=26141 UID=0 User=root ifconfig
Apr 13 01:21:07 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root ifconfig
Apr 13 01:21:17 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root w
Apr 13 01:21:20 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root df -h
Apr 13 01:21:33 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root useradd abc
Apr 13 01:21:38 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root passwd abc
Apr 13 01:21:42 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root su - abc
Apr 13 01:21:44 localhost -bash: HISTORY: PPID=26192 PID=26193 SID=26159 UID=500 User=abc exit
二、rsyslog日志服務(wù)器配置
1. 日志服務(wù)器配置
# vi /etc/rsyslog.conf
將其中下面四行的注釋取消
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
在#### GLOBAL DIRECTIVES ####中加入如下內(nèi)容:
$template IpTemplate,"/var/log/%FROMHOST-IP%.log"
*.* ?IpTemplate
& ~
說(shuō)明:實(shí)現(xiàn)在接收遠(yuǎn)程的日志為客戶端IP地址命名。
然后重新啟動(dòng)rsyslogd服務(wù)
# service rsyslog restart
2. 日志客戶端配置
# vi /etc/rsyslog.conf
local1.debug??? @@192.168.0.66
# 然后重新啟動(dòng)rsyslogd服務(wù)
# service rsyslog restart
3. 查看結(jié)果,已經(jīng)可以接收結(jié)果了。
[root@testdb log]# cd /var/log
[root@testdb log]# ll
908
-rw-------? 1 root root?? 1718 412 09:51 127.0.0.1.log
-rw-------? 1 root root??? 272 412 09:43 192.168.0.65.log
-rw-------? 1 root root?? 3754 412 09:51 66_history_bash
-rw-------. 1 root root?? 2368 109 16:55 anaconda.ifcfg.log
-rw-------. 1 root root? 29331 109 16:55 anaconda.log
[root@testdb log]# tail -f 192.168.0.65.log
Apr 13 17:41:13 localhost -bash: HISTORY: PPID=2166 PID=2168 SID=2168 UID=0 User=root 192.168
Apr 13 17:42:40 localhost -bash: HISTORY: PPID=2166 PID=2168 SID=2168 UID=0 User=root sss
Apr 13 17:43:38 localhost -bash: HISTORY: PPID=2166 PID=2168 SID=2168 UID=0 User=root s
Apr 13 17:52:27 localhost -bash: HISTORY: PPID=2166 PID=2168 SID=2168 UID=0 User=root ifconfig
Apr 13 17:52:27 localhost -bash: HISTORY: PPID=2166 PID=2168 SID=2168 UID=0 User=root w
總結(jié)
以上是生活随笔為你收集整理的history linux 日志服务器_编译bash实现history的syslog日志记录的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 冻结拆分_冻结首行与尾行?还有能这种操作
- 下一篇: c++11新特性_c++11新特性(四)