#\u65e5\u5e38\u5de5\u4f5c\u4e2d\u670d\u52a1\u5668\u5f88\u591a,\u4e5f\u4f1a\u51fa\u73b0\u5f88\u591a\u95ee\u9898,\u4f46\u662f\u51fa\u73b0\u95ee\u9898\u600e\u4e48\u67e5\u8be2\u539f\u56e0\u5462?history,last\u53ef\u4ee5\u67e5\u770b\u5230\u4e00\u4e9b\u8bb0\u5f55,\u4f46\u662f\u5e76\u4e0d\u5b8c\u6574,\u4e5f\u65e0\u6cd5\u51c6\u786e\u8ffd\u6eaf\u5230\u8c01,\u5728\u4ec0\u4e48\u65f6\u95f4,\u6267\u884c\u4e86\u4ec0\u4e48,\u8fd9\u4e2a\u65f6\u5019\u5982\u679c\u670d\u52a1\u5668\u88ab\u9ed1,\u6216\u8005\u88ab\u6076\u4f5c\u5267,\u5c31\u65e0\u6cd5\u5feb\u901f\u51c6\u786e\u5224\u65ad,\u5e76\u5b9a\u4f4d\u95ee\u9898,\u5982\u679c\u5f00\u542f\u4e86\u64cd\u4f5c\u65e5\u5fd7\u5ba1\u8ba1\u5c31\u53ef\u4ee5\u5f88\u597d\u7684\u5224\u65ad\u95ee\u9898,\u540c\u65f6\u96c6\u4e2d\u7ba1\u7406\u5f52\u6863,\u589e\u52a0\u7cfb\u7edf\u7684\u5b89\u5168\u6027.<\/p>\n
#\u73af\u5883<\/p>\n
\u7cfb\u7edf:CentOS Linux release 7.4.1708 (Core)<\/p>\n
\u5ba2\u6237\u7aef:172.16.10.25<\/p>\n
\u670d\u52a1\u7aef:172.16.10.181<\/p>\n
#\u5de5\u5177<\/p>\n
1,logger<\/p>\n
logger\u662f\u4e00\u4e2ashell\u63a5\u53e3\uff0c\u53ef\u4ee5\u901a\u8fc7\u8be5\u63a5\u53e3\u4f7f\u7528rsyslog\u7684\u65e5\u5fd7\u6a21\u5757\u3002<\/p>\n
Usage:\r\n logger [options] [message]\r\n\r\nOptions:\r\n -T, --tcp use TCP only\r\n -d, --udp use UDP only\r\n -i, --id log the process ID too\r\n -f, --file <file> log the contents of this file\r\n -h, --help display this help text and exit\r\n -S, --size <num> maximum size for a single message (default 1024)\r\n -n, --server <name> write to this remote syslog server\r\n -P, --port <port> use this port for UDP or TCP connection\r\n -p, --priority <prio> mark given message with this priority\r\n -s, --stderr output message to standard error as well\r\n -t, --tag <tag> mark every line with this tag\r\n -u, --socket <socket> write to this Unix socket\r\n -V, --version output version information and exit<\/pre>\n2,rsyslog<\/p>\n
rsyslog\u662fsyslog\u7684\u52a0\u5f3a\u7248\uff0c\u53ef\u4ee5\u7528\u4f5c\u5ba2\u6237\u7aef\u53ca\u670d\u52a1\u5668\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528local0\uff5elocal7\u6765\u81ea\u5b9a\u4e49\u8bbe\u5907\u4f20\u8f93\u81f3rsyslog\u3002<\/p>\n
3,prompt_command<\/p>\n
Linux\u7cfb\u7edf\u7684\u73af\u5883\u53d8\u91cfPROMPTCOMMAND\u7684\u5185\u5bb9\u4f1a\u5728bash\u63d0\u793a\u7b26\u663e\u793a\u4e4b\u524d\u88ab\u6267\u884c\u3002\u8be5\u73af\u5883\u53d8\u91cf\u7684\u9ed8\u8ba4\u503c\u662f history -a \u529f\u80fd\u662f\u5c06\u76ee\u524d\u65b0\u589e\u7684history\u8ffd\u52a0\u5230histfiles \u4e2d\uff0c\u9ed8\u8ba4\u5199\u5165\u9690\u85cf\u6587\u4ef6~\/.bashhistory\u4e2d<\/p>\n
#\u90e8\u7f72<\/p>\n
1,\u90e8\u7f72rsyslog\u65e5\u5fd7\u670d\u52a1\u5668server\u7aef<\/p>\n
vim \/etc\/rsyslog.conf\r\n$ModLoad imudp\r\n$UDPServerRun 514\r\n$AllowedSender UDP, 172.16.0.0\/16\r\n$template IpTemplate,\"\/var\/log\/remote\/%FROMHOST-IP%\/%$YEAR%-%$MONTH%-%$DAY%.log\"\r\n:fromhost-ip, !isequal, \"127.0.0.1\" ?IpTemplate\r\n& ~\r\n\r\n\r\n\r\n$ModLoad imudp #\u914d\u7f6e\u670d\u52a1\u5f00\u542fudp\u534f\u8bae\r\n$UDPServerRun 514 #\u914d\u7f6eudp 514\u4e3a\u670d\u52a1\u8fd0\u884c\u7aef\u53e3\r\n$AllowedSender UDP #\u914d\u7f6eudp\u7684\u767d\u540d\u5355\r\n$template IpTemplate #\u914d\u7f6e\u6a21\u677f\uff0c\u4ee5\u5ba2\u6237\u7aefip\u4e3a\u76ee\u5f55\uff0c\u4ee5\u65e5\u671f\u547d\u540d\u6587\u4ef6\r\n:fromhost-ip, !isequal, \"127.0.0.1\" ?IpTemplate #\u628a\u975e\u672c\u5730\u4f20\u8f93\u7684\u65e5\u5fd7\u6309\u7167\u6307\u5b9a\u7684\u6a21\u677f\u5b58\u653e\r\n& ~ #& \u8868\u793a\u5df2\u7ecf\u5339\u914d\u5904\u7406\u7684\u5185\u5bb9\uff0c~ \u8868\u793a\u4e0d\u518d\u8fdb\u884c\u5176\u4ed6\u5904\u7406\r\n\r\n#\u91cd\u542f\u670d\u52a1\r\nsystemctl restart rsyslog<\/pre>\n<\/p>\n
2,\u90e8\u7f72\u5ba2\u6237\u7aefrsyslog\u914d\u7f6e<\/p>\n
1,\u914d\u7f6eprompt_command<\/p>\n
vim \/etc\/bashrc\r\nreadonly PROMPT_COMMAND='logger -p local3.notice -t bash \"$(ifconfig | grep -E \"eth|em\" -A 1 | grep \"10.10\" | grep -oP \"(?<=addr:)[\\d\\.]+\") $(who am i |awk \"{print \\$1\\\" \\\"\\$2\\\" \\\"\\$3\\\" \\\"\\$4\\\" \\\"\\$5}\") [`pwd`] currentuser=$(whoami) command=$(history 1 | { read x cmd; echo \"$cmd\"; })\"'\r\n\r\n#load\u73af\u5883\u53d8\u91cf,!!!\u8fd9\u6b65\u8d3c\u91cd\u8981,\u5982\u679c\u4e0d\u6267\u884c\u6050\u65e0\u6cd5\u8bb0\u5f55\u5f53\u524d\u64cd\u4f5c\r\nsource \/etc\/bashrc\r\n\r\nlocal3.notice \u4f7f\u6211\u4eec\u81ea\u5b9a\u4e49\u7684\u8bbe\u5907\uff0c\u7528\u4e8ersyslog\u8c03\u7528\uff1b \r\nbash \u662f\u6211\u4eec\u4e3a\u6bcf\u884c\u6253\u5370\u7684\u4fe1\u606f\u6253\u5370\u7684tag\uff1b \r\nifconfig | grep -E \u201ceth|em\u201d -A 1 | grep \u201c10.10\u201d | grep -oP \u201c(?<=addr:)[\\d.]+\u7528\u4e8e\u83b7\u53d6\u6211\u4eec\u670d\u52a1\u5668\u7684ip\uff1b \r\nwho am i |awk \u201c{print $1\\\u201d \\\u201d$2\\\u201d \\\u201d$3\\\u201d \\\u201d$4\\\u201d \\\u201d$5}\u201d\u7528\u4e8e\u83b7\u53d6\u6211\u4eec\u5f53\u524d\u7528\u6237\u7684\u767b\u5f55\u4fe1\u606f\uff1b \r\npwd\u7528\u4e8e\u5217\u51fa\u6211\u4eec\u5f53\u524d\u6240\u5728\u7684\u76ee\u5f55\uff1b \r\nwhoami\u7528\u4e8e\u83b7\u53d6\u6211\u4eec\u5f53\u524d\u5207\u6362\u7684\u6267\u884c\u547d\u4ee4\u7684\u7528\u6237\uff0c\u4f8b\u5982\u6211\u4eec\u4ecetest \u7528\u6237 sudo -i\uff0c\u6267\u884c\u547d\u4ee4\u7684\u7528\u6237\u4e3aroot\uff0c\u4f46\u662f\u767b\u5f55\u7684\u7528\u6237test\uff0c\u65b9\u4fbf\u6211\u4eec\u533a\u5206\uff1b \r\ncommand \u662f\u6211\u4eec\u5f53\u524d\u7528\u6237\u6267\u884c\u7684\u547d\u4ee4\u3002\r\n\r\n\u6ce8\u610f\uff1a \r\n1.\u6211\u4eec\u9700\u8981\u5728\/etc\/bashrc\u6216\/etc\/profile\u4e2d\u6dfb\u52a0\u73af\u5883\u53d8\u91cf\uff0c\u7528\u4e8e\u6240\u6709\u7528\u6237\u3002 \r\n2.export PROMPT_COMMAND \u5982\u679c\u5c06PROMPT_COMMAND\u5bfc\u51fa\u5230\u7528\u6237\u5de5\u4f5c\u533a\uff0c\u90a3\u4e48\u5bf9\u4e8e\u6709\u7ecf\u9a8c\u7684\u7528\u6237\u5c31\u53ef\u4ee5\u505a\u8d4b\u503c\u64cd\u4f5c export PROMPT_COMMAND =\u201c\u201d \uff0c\u7b80\u5355\u7684\u8bed\u6cd5\u5c31\u4f1a\u5bfc\u81f4\u8bb0\u5f55\u529f\u80fd\u5f53\u524dsession\u7aef\u4e0d\u53ef\u7528\uff0c\u6240\u4ee5PROMPT_COMMAND\u5fc5\u987b\u8bbe\u7f6e\u6210\u53ea\u8bfb\u7684\u5c5e\u6027\uff0creadonly PROMPT_COMMAND<\/pre>\n2,\u914d\u7f6ersyslog\u5ba2\u6237\u7aef<\/p>\n
vim \/etc\/rsyslog.conf\r\n*.info;mail.none;authpriv.none;cron.none;local3.none \/var\/log\/messages\r\nlocal3.notice \/var\/log\/audit.log\r\nlocal3.notice @172.16.10.181\r\n\r\n#\u91cd\u542f\u670d\u52a1\r\nsystemctl restart rsyslog\r\n\r\n\r\n*.info;mail.none;authpriv.none;cron.none;local3.none #\u8bbe\u7f6elocal3\u4e0d\u5199\u5165message \r\nlocal3.notice \/var\/log\/audit.log #\u4fdd\u5b58\u5230\u672c\u5730\u7684\u6587\u4ef6\r\nlocal3.notice @172.16.10.181 #\u53d1\u7ed9\u8fdc\u7a0b\u65e5\u5fd7\u670d\u52a1\u5668\r\n\r\nlocal3.notice \u662f\u5728logger\u4e2d\u5b9a\u4e49\u7684\u8bbe\u5907\uff0cnotice\u662f\u6253\u5370\u65e5\u5fd7\u7684\u7ea7\u522b,\u7528\u4e8ersyslog\u8c03\u7528\u5e76\u5c06\u6253\u5370\u4fe1\u606f\u8f93\u51fa\u81f3\u6307\u5b9a\u6587\u4ef6\u3002<\/pre>\n3,\u914d\u7f6e\u8f6e\u8f6c\u65e5\u5fd7<\/p>\n
vim \/etc\/logrotate.d\/rsyslog\r\n\/var\/log\/audit.log{\r\n daily\r\n rotate 4\r\n missingok\r\n notifempty\r\n nocompress\r\n create\r\n dateext\r\n sharedscripts\r\n postrotate\r\n \/bin\/kill -HUP `cat \/var\/run\/syslogd.pid 2> \/dev\/null` 2> \/dev\/null || true\r\n endscript\r\n}\r\n\r\n#\u624b\u52a8\u5f3a\u5236\u8f6e\u8f6c\r\nlogrotate -vf \/etc\/logrotate.d\/rsyslog<\/pre>\n#\u6d4b\u8bd5<\/p>\n
1,\u5ba2\u6237\u7aef<\/p>\n
[root@manage-dns25-ctos7 ~]# tail \/var\/log\/audit.log \r\nJan 26 17:26:25 manage-dns25-ctos7 bash: admin pts\/0 2018-01-26 10:34 (172.16.1.12) [\/root] currentuser=root command=tail -F xferin.log\r\nJan 26 17:26:28 manage-dns25-ctos7 bash: admin pts\/0 2018-01-26 10:34 (172.16.1.12) [\/root] currentuser=root command=cat \/etc\/redhat-release<\/pre>\n2,\u670d\u52a1\u7aef<\/p>\n
[root@test-yumwei10_181-ctos ~]# tail \/var\/log\/remote\/172.16.1\r\n172.16.10.21\/ 172.16.10.25\/ 172.16.10.80\/ 172.16.12.1\/ 172.16.12.2\/ \r\n[root@test-yumwei10_181-ctos ~]# tail \/var\/log\/remote\/172.16.10.25\/2018-01-26.log \r\nJan 26 17:26:25 manage-dns25-ctos7 bash: admin pts\/0 2018-01-26 10:34 (172.16.1.12) [\/root] currentuser=root command=tail -F xferin.log\r\nJan 26 17:26:28 manage-dns25-ctos7 bash: admin pts\/0 2018-01-26 10:34 (172.16.1.12) [\/root] currentuser=root command=cat \/etc\/redhat-release\r\nJan 26 17:28:00 manage-dns25-ctos7 bash: admin pts\/0 2018-01-26 10:34 (172.16.1.12) [\/root] currentuser=root command=tail \/var\/log\/audit.log<\/pre>\n<\/p>\n","protected":false},"excerpt":{"rendered":"
#\u65e5\u5e38\u5de5\u4f5c\u4e2d\u670d\u52a1\u5668\u5f88\u591a,\u4e5f\u4f1a\u51fa\u73b0\u5f88\u591a\u95ee\u9898,\u4f46\u662f\u51fa\u73b0\u95ee\u9898\u600e\u4e48\u67e5\u8be2\u539f\u56e0\u5462?histo … \u7ee7\u7eed\u9605\u8bfb