2 Answers
- Newest
- Most votes
- Most comments
3
Enable Bash command auditing:
- Edit the /etc/bash.bashrc file and add the following lines
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
This will log all executed commands to syslog under the local6 facility.
- Configure syslog to forward logs You can use Amazon CloudWatch Logs, Elastic Stack (ELK), or any other For Amazon CloudWatch Logs, follow https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html to install and configure the CloudWatch Logs agent. Edit the /etc/awslogs/awslogs.conf file and add the following
[/var/log/syslog]
file = /var/log/syslog
log_group_name = YOUR_LOG_GROUP_NAME
log_stream_name = {instance_id}
datetime_format = %b %d %H:%M:%S
- Create a dashboard in CloudWatch
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago