How to enable command line audit logging in linux | Confluence (2024)

Table of Contents
Purpose Solution FAQs

The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.

Purpose

This KB article contains information that is outside of the Atlassian Support Offeringsand is provided as a suggestion to achieve the mentioned goal.

This is not intended as a complete solution nor as a recommendation to use on production instances.

As this involves security concerns, the administrator should work in conjunction with their security team to understand the best solution available to their company.

See Also
Linux AuditD logging Vs Legacy Var/log/*Auditing Files in LinuxLynis - Security auditing and hardening tool for Linux/UnixHow to Modify auditd Rules in Immutable Mode and Resolve...

To record all commands entered into the shell in a linux environment to a log file. This can be useful for auditing user actions or for security audits.

This is not specific to Confluence or any product, but it will audit command line actions including those things related to Confluence. Service restarts, all inputs from bash, and user actions should all be logged using this method.

As an alternative you may consider Snoopy:

Snoopy is a small library that logs all program executions on your Linux/BSD system.

Solution

  1. Login to the linux box and assume root

    sudo su -

  2. Edit/etc/profile and add the following lines to the bottom of the file:

    See Also
    Audit framework - ArchWiki

    # command line audit loggingfunction log2syslog{ declare COMMAND COMMAND=$(fc -ln -0) logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}"}trap log2syslog DEBUG
  3. Save and exit /etc/profile

  4. Edit/etc/rsyslog.conf and add the following lines to the bottom of the file:

    # command line audit logginglocal1.* -/var/log/cmdline
  5. Save and exit/etc/rsyslog.conf

  6. Either restart the rsyslog service, or restart the whole machine to release all user sessions - forcing a reload of the bash profile and enacting the changes

    /etc/init.d/rsyslog restart

  7. The audit logging will be visible under/var/log/syslog and /var/log/cmdlineand will look like this:

    Aug 22 15:04:39 ip-10-10-34-56 bash[15856]: jsmith:Aug 22 15:04:40 ip-10-10-34-56 bash[15859]: jsmith:#011 sudo su -Aug 22 15:04:43 ip-10-10-34-56 bash[15893]: root:Aug 22 15:04:49 ip-10-10-34-56 bash[15903]: root:#011 ls -lart /var/logAug 22 15:05:01 ip-10-10-34-56 CRON[15927]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)Aug 22 15:05:06 ip-10-10-34-56 bash[15937]: root:#011 ls -lart /var/log | grep cmdAug 22 15:15:01 ip-10-10-34-56 CRON[17254]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)Aug 22 15:17:01 ip-10-10-34-56 CRON[17513]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)Aug 22 15:20:02 ip-10-10-34-56 bash[17921]: root:#011 cd /var/logAug 22 15:20:03 ip-10-10-34-56 bash[17924]: root:#011 lsAug 22 15:20:16 ip-10-10-34-56 bash[17969]: root:#011 service confluence restartAug 22 15:20:16 ip-10-10-34-56 systemd[1]: Stopping SYSV: Confluence...Aug 22 15:20:16 ip-10-10-34-56 confluence[17975]: Stopping confluenceAug 22 15:20:16 ip-10-10-34-56 systemd[1]: Started Session c8 of user confluence.Aug 22 15:20:27 ip-10-10-34-56 confluence[17975]: confluence stopped successfullyAug 22 15:20:27 ip-10-10-34-56 systemd[1]: Stopped SYSV: Confluence.Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Starting SYSV: Confluence...Aug 22 15:20:27 ip-10-10-34-56 confluence[18103]: Starting confluenceAug 22 15:20:27 ip-10-10-34-56 systemd[1]: Stopping User Manager for UID 1300...Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Stopped target Default.Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Stopped target Basic System.Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Stopped target Paths.Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Stopped target Timers.Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Reached target Shutdown.Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Starting Exit the Session...Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Stopped target Sockets.Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Received SIGRTMIN+24 from PID 18107 (kill).Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Stopped User Manager for UID 1300.Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Removed slice User Slice of confluence.Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Created slice User Slice of confluence.Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Starting User Manager for UID 1300...Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Started Session c9 of user confluence.Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Paths.Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Timers.Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Sockets.Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Basic System.Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Default.Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Startup finished in 9ms.Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Started User Manager for UID 1300.Aug 22 15:20:28 ip-10-10-34-56 systemd[1]: Started SYSV: Confluence.Aug 22 15:20:41 ip-10-10-34-56 bash[18207]: root:#011 lsAug 22 15:20:54 ip-10-10-34-56 bash[18271]: root:#011 less syslog
  8. You may consider saving the log on an NFS mount and/or pushing the syslog logs to another machine.
How to enable command line audit logging in linux | Confluence (2024)

FAQs

How to enable audit logging in Linux? ›

To enable auditing on a Linux or UNIX computer:
  1. Log on as a user with root privileges.
  2. Run dacontrol with the -e option: dacontrol -e.
  3. Run dacontrol again to verify that auditing has been enabled or run dainfo. For example, the output of the dacontrol command shows something like this: dacontrol --query.

Read On
How to enable command line logging in Linux? ›

Solution
  1. Login to the linux box and assume root. ...
  2. Edit /etc/profile and add the following lines to the bottom of the file: ...
  3. Save and exit /etc/profile.
  4. Edit /etc/rsyslog.conf and add the following lines to the bottom of the file: ...
  5. Save and exit /etc/rsyslog.conf.

Discover More Details
How to audit commands in Linux? ›

The main auditctl commands to control basic audit system parameters are:
  1. auditctl -e to enable or disable audit.
  2. auditctl -f to control the failure flag.
  3. auditctl -r to control the rate limit for audit messages.
  4. auditctl -b to control the backlog limit.
  5. auditctl -s to query the current status of the audit daemon. Tip.

Continue Reading
How do I enable system logs in Linux? ›

Using dmesg to View Linux Log Files

By running dmesg , you can access these logs directly from the kernel, providing a low-level view of system activities and events. This command displays the kernel ring buffer messages on your terminal, allowing you to read through the system logs.

See Details
What is the command for audit log? ›

Use the catauditlog command to display the in-memory contents of the audit log. Use the dumpauditlog command to reset or clear the contents of the in-memory audit log. The contents of the audit log are sent to a file in the /dumps/audit directory on the current configuration node.

Find Out More
What is command line audit logging? ›

Command line auditing implies monitoring the process with the name A new process has been created on Windows operating systems, and it is carried out for the following processes: Creator process — which runs the command line to create another process. New process — which is being created by the creator process.

Tell Me More
What is the default audit log in Linux? ›

By default, the Audit system stores log entries in the /var/log/audit/audit. log file; if log rotation is enabled, rotated audit. log files are stored in the same directory.

Show Me More
How do I add audit rules in Linux? ›

Using ausearch -m MESSAGE_TYPE , you can at least filter for events of a certain type. However, to be able to filter for events related to a particular rule, you need to add a key to this rule in the /etc/audit/audit. rules file. This key is then added to the event record every time the rule logs an event.

Explore More
Which tool can perform Linux auditing? ›

Lynis is a security auditing tool for systems based on UNIX like Linux, macOS, BSD, and others. It performs an in-depth security scan and runs on the system itself. The primary goal is to test security defenses and provide tips for further system hardening.

Continue Reading
How do I get command logs in Linux? ›

The default location for log files in Linux is /var/log . You can view the list of log files in this directory with the following command: ls -l /var/log.

Show Me More

How do I enable system logging? ›

Enable and Configure Syslog

In the Configuration Settings section: For Enable Syslog – Check the Enable Logging to Syslog server checkbox to enable syslog. For Syslog Server Details – Enter the Syslog server IP address, and server port.

Read The Full Story
What is the command for logging in Linux? ›

The logger command provides an easy way to add messages to the /var/log/syslog file from the command line or from other files. The Linux logger command provides an easy way to add log files to /var/log/syslog — from the command line, from scripts, or from other files. In today's post, we'll take a look at how it works.

See Details
How do I enable journal logs in Linux? ›

The journal stores log data in /run/log/journal/ by default. Because the /run/ directory is volatile by nature, log data is lost at reboot. To make the log data persistent, the directory /var/log/journal/ with correct ownership and permissions must exist, where the systemd-journald service can store its data.

Get More Info Here
How do I enable debug logs in Linux? ›

Linux Agent - Enable Debug mode
  1. # Enable Debug mode (comment or remove debug line to disable) Debug=1. Now restart the CDP Host Agent module:
  2. /etc/init.d/cdp-agent restart. To test this you can 'tail' the CDP Agent log file to see the new [Debug] lines that are added to the logs.
  3. tail /usr/sbin/r1soft/log/cdp.log.
Mar 19, 2012

Continue Reading
How do I enable ad audit logging? ›

Go to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policies. Select Audit object access and Audit directory service access. Select both the Success and Failure options to audit all accesses to every Active Directory object.

View More
How do I enable logging in Linux screen? ›

Use -L to enable logging to screenlog. 0 . By default the screen output is dumped to the log at a 10 second interval. To change this you name your session with -S and after creation send the logfile flush command with the number of seconds.

View Details
Top Articles
Car Insurance Deductibles Explained
buy BTC with USDT: exchange USDT for BTC | Bitbanker
Dainty Rascal Io
My E Chart Elliot
Brady Hughes Justified
Polyhaven Hdri
Teenbeautyfitness
Top Financial Advisors in the U.S.
How to Type German letters ä, ö, ü and the ß on your Keyboard
Lowes 385
Lichtsignale | Spur H0 | Sortiment | Viessmann Modelltechnik GmbH
Needle Nose Peterbilt For Sale Craigslist
123 Movies Babylon
Mercy MyPay (Online Pay Stubs) / mercy-mypay-online-pay-stubs.pdf / PDF4PRO
Luciipurrrr_
Aita Autism
Gwdonate Org
How To Cut Eelgrass Grounded
fort smith farm & garden - craigslist
Sam's Club La Habra Gas Prices
Milspec Mojo Bio
Earl David Worden Military Service
[Cheryll Glotfelty, Harold Fromm] The Ecocriticism(z-lib.org)
Shopmonsterus Reviews
Canvasdiscount Black Friday Deals
Minnick Funeral Home West Point Nebraska
Naya Padkar Gujarati News Paper
Meridian Owners Forum
Paris Immobilier - craigslist
Craigslist Fort Smith Ar Personals
Downtown Dispensary Promo Code
Log in to your MyChart account
Ewg Eucerin
Experity Installer
Tokioof
Powerball lottery winning numbers for Saturday, September 7. $112 million jackpot
Weekly Math Review Q4 3
Back to the Future Part III | Rotten Tomatoes
Planet Fitness Santa Clarita Photos
Dollar Tree's 1,000 store closure tells the perils of poor acquisitions
Wal-Mart 140 Supercenter Products
Directions To The Closest Auto Parts Store
8776725837
BCLJ July 19 2019 HTML Shawn Day Andrea Day Butler Pa Divorce
303-615-0055
The 13 best home gym equipment and machines of 2023
Mytmoclaim Tracking
Acuity Eye Group - La Quinta Photos
March 2023 Wincalendar
Grace Charis Shagmag
Latest Posts
How to pay for college without help from your parents
Best crypto exchanges in Australia for 2024
Article information

Author: Aron Pacocha

Last Updated:

Views: 6423

Rating: 4.8 / 5 (68 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Aron Pacocha

Birthday: 1999-08-12

Address: 3808 Moen Corner, Gorczanyport, FL 67364-2074

Phone: +393457723392

Job: Retail Consultant

Hobby: Jewelry making, Cooking, Gaming, Reading, Juggling, Cabaret, Origami

Introduction: My name is Aron Pacocha, I am a happy, tasty, innocent, proud, talented, courageous, magnificent person who loves writing and wants to share my knowledge and understanding with you.