how to collect command logs performed on ec2 ubuntu instance

Question

My question is how can i collect logs of commands written or changes made by that particular user in the ubuntu instance after i ssh into it. so can it be displayed on any dashboard (if yes, suggest how can i perform it and what tools might support the above scenario)

Answer

Enable Bash command auditing:

- Edit the /etc/bash.bashrc file and add the following lines
```
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
```
This will log all executed commands to syslog under the local6 facility.

- Configure syslog to forward logs
You can use Amazon CloudWatch Logs, Elastic Stack (ELK), or any other
For Amazon CloudWatch Logs, follow https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html to install and configure the CloudWatch Logs agent.
Edit the /etc/awslogs/awslogs.conf file and add the following

```
[/var/log/syslog]
file = /var/log/syslog
log_group_name = YOUR_LOG_GROUP_NAME
log_stream_name = {instance_id}
datetime_format = %b %d %H:%M:%S
```

- Create a dashboard in CloudWatch

Answer

Take a look at [Sessions Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html) and [session logging](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html).

how to collect command logs performed on ec2 ubuntu instance

相關內容