- Edit
/etc/profile
and add the following lines to the bottom of the file:
function log2syslog
{
declare COMMAND
COMMAND=$(fc -ln -0)
logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}"
}
trap log2syslog DEBUG
- Edit
/etc/rsyslog.conf
and add the following lines to the bottom of the file:
local1.* -/var/log/cmdline
- Either restart the rsyslog service, or restart the whole machine to release all user sessions - forcing a reload of the bash profile and enacting the changes.
/etc/init.d/rsyslog restart
The audit logging will be visible under /var/log/syslog
and /var/log/cmdline
.
- Allow read access to the
/var/log/cmdline
. If you are not ok with this - stop right now.
chmod +r /var/log/cmdline
- Run the container.
docker run --name log-cmdline -it -d \
--restart on-failure \
--log-driver fluentd \
--log-opt tag=docker.efk.cmdline \
--log-opt fluentd-async-connect=true \
-v /var/log/cmdline:/media/cmdline:ro \
barklan/log-cmdline:rolling