#if defined (SYSLOG_HISTORY)
# define SYSLOG_FACILITY LOG_LOCAL1
# define SYSLOG_LEVEL LOG_DEBUG
#endif
# vim bashhist.c
#找到701行开始的程序段
701 void
702 bash_syslog_history (line)
703 const char *line;
704 {
705 char trunc[SYSLOG_MAXLEN];
706
707 if (strlen(line) < SYSLOG_MAXLEN)
708 syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d UID=%d %s", getpid(), current_user.uid, line);
709 else
710 {
711 strncpy (trunc, line, SYSLOG_MAXLEN);
712 trunc[SYSLOG_MAXLEN - 1] = '\0';
713 syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d UID=%d %s", getpid(), current_user.uid, trunc);
714 }
715 }
716 #endif
修改为如下内容:
void
bash_syslog_history (line)
const char *line;
{
char trunc[SYSLOG_MAXLEN];
if (strlen(line) < SYSLOG_MAXLEN)
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PPID=%d PID=%d SID=%d UID=%d User=%s %s", getppid(), getpid(), getsid(getpid()), current_user.uid, current_user.user_name, line);
else
{
strncpy (trunc, line, SYSLOG_MAXLEN);
trunc[SYSLOG_MAXLEN - 1] = '\0';
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PPID=%d PID=%d SID=%d UID=%d User=%s %s", getppid(), getpid(), getsid(getpid()), current_user.uid, current_user.user_name, trunc);
}
}
[root@localhost SOURCES]# diff -Npru bash-4.1-orig bash-4.1 > bash_history_syslog.patch
# cd ~/rpmbuild/SPECS/
# vim bash.spec
#加入两行内容,按如下格式如下,保存退出。
Patch119: bash_history_syslog.patch
…
%patch119 -p1 -b .history_syslog
…
[root@localhost SPECS]# rpmbuild -ba bash.spec
error: Failed build dependencies:
texinfo is needed by bash-4.1.2-15.el6.x86_64
再开一个窗口安装texinfo软件包。
[root@localhost SPECS]# rpmbuild -ba bash.spec
[root@localhost SPECS]# cd ~/rpmbuild/RPMS/x86_64/
[root@localhost ~]# cd ~/rpmbuild/RPMS/x86_64/
[root@localhost x86_64]# ls
bash-4.1.2-15.el6.x86_64.rpm bash-debuginfo-4.1.2-15.el6.x86_64.rpm bash-doc-4.1.2-15.el6.x86_64.rpm
[root@localhost x86_64]#
[root@localhost x86_64]# rpm -Uvh --force bash-4.1.2-15.el6.x86_64.rpm
Preparing... ########################################### [100%]
1:bash ########################################### [100%]
[root@localhost x86_64]#
[root@localhost x86_64]# vi /etc/rsyslog.conf
#加入如下内容:
local1.debug /var/log/bash
[root@localhost x86_64]# service rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
[root@localhost ~]# tail -f /var/log/bash
Apr 13 00:47:11 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root ifconfig
Apr 13 00:47:12 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root ls
Apr 13 00:47:13 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root df -h
Apr 13 00:47:15 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root history
Apr 13 00:47:24 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root cat /var/log/bash
Apr 13 01:19:47 localhost bash: HISTORY: PPID=26139 PID=26141 SID=26141 UID=0 User=root cat /var/log/bash
Apr 13 01:19:57 localhost bash: HISTORY: PPID=26139 PID=26141 SID=26141 UID=0 User=root ifconfig
Apr 13 01:21:07 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root ifconfig
Apr 13 01:21:17 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root w
Apr 13 01:21:20 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root df -h
Apr 13 01:21:33 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root useradd abc
Apr 13 01:21:38 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root passwd abc
Apr 13 01:21:42 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root su - abc
Apr 13 01:21:44 localhost -bash: HISTORY: PPID=26192 PID=26193 SID=26159 UID=500 User=abc exit
1. 日志服务器配置
# vi /etc/rsyslog.conf
将其中下面四行的注释取消
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
在#### GLOBAL DIRECTIVES ####中加入如下内容:
$template IpTemplate,"/var/log/%FROMHOST-IP%.log"
*.* ?IpTemplate
& ~
说明:实现在接收远程的日志为客户端IP地址命名。
然后重新启动rsyslogd服务
# service rsyslog restart
2. 日志客户端配置
# vi /etc/rsyslog.conf
local1.debug @@192.168.0.66
# 然后重新启动rsyslogd服务
# service rsyslog restart
3. 查看结果,已经可以接收结果了。