✍️

Bash Shell 명령어 로깅

/etc/profile

# ========================================================
# Command Logging by pjw (universal for bash shells)
# Format: JSON log with user, tty, ip, directory, command, date
# ========================================================

export LAST_LOGGED_COMMAND=""

history_to_syslog() {
    local command pwd remoteaddr tty user_ip log_date

    # 현재 날짜를 yyyyMMdd 형식으로 저장
    log_date=$(date +"%Y%m%d")

    command=$(HISTTIMEFORMAT= history 1 | sed 's/^ *[0-9]* *//')
    pwd=$(pwd)
    remoteaddr=$(who am i 2>/dev/null)
    tty=$(tty 2>/dev/null)
    user_ip=$(echo "$remoteaddr" | awk '{print $NF}' | tr -d '()')
    user_ip=${user_ip:-"local"}

    if [ "$command" != "$LAST_LOGGED_COMMAND" ]; then
        logger -p local2.notice -t bash_logger -i -- \
            "{\"date\":\"$log_date\", \"user\":\"$USER\", \"tty\":\"$tty\", \"ip\":\"$user_ip\", \"directory\":\"$pwd\", \"command\":\"$command\"}"
        export LAST_LOGGED_COMMAND="$command"
    fi
}

export PROMPT_COMMAND="history_to_syslog${PROMPT_COMMAND:+; $PROMPT_COMMAND}"
Bash
복사

/var/log/messages

.............
May  8 11:28:59 dev-myapp-was-01 bash_logger[5981]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"source /etc/profile"}
May  8 11:29:09 dev-myapp-was-01 bash_logger[6043]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"ll"}
May  8 11:29:13 dev-myapp-was-01 bash_logger[6091]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"./myappctl log web"}
May  8 11:29:16 dev-myapp-was-01 bash_logger[6135]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple/tomcat", "command":"cd tomcat"}
May  8 11:29:17 dev-myapp-was-01 bash_logger[6179]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple/tomcat/logs", "command":"cd logs/"}
May  8 11:29:17 dev-myapp-was-01 bash_logger[6223]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple/tomcat/logs", "command":"ll"}
May  8 11:29:18 dev-myapp-was-01 bash_logger[6266]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple/tomcat", "command":"cd .."}
May  8 11:29:24 dev-myapp-was-01 bash_logger[6355]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data/apache", "command":"cd /data/apache/"}
May  8 11:29:25 dev-myapp-was-01 bash_logger[6398]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"cd -"}
ay  9 09:46:14 dev-myapp-was-01 bash_logger[49572]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/root", "command":"TMOUT=0"}
May  9 09:46:14 dev-myapp-was-01 bash_logger[49588]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/root", "command":"df -h"}
May  9 09:46:14 dev-myapp-was-01 bash_logger[49603]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"cd /home/apple"}
May  9 09:46:14 dev-myapp-was-01 bash_logger[49619]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"ls -trl"}
May  9 09:46:18 dev-myapp-was-01 bash_logger[49636]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home", "command":"cd /home"}
May  9 09:46:19 dev-myapp-was-01 bash_logger[49652]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home", "command":"ll"}
May  9 09:46:22 dev-myapp-was-01 su: (to pjw) ncloud on pts/1
May  9 09:46:24 dev-myapp-was-01 bash_logger[49723]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/pjw", "command":"ll"}
May  9 09:46:26 dev-myapp-was-01 bash_logger[49738]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/pjw", "command":"pwd"}
May  9 09:46:29 dev-myapp-was-01 bash_logger[49754]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data", "command":"cd /data"}
May  9 09:46:29 dev-myapp-was-01 bash_logger[49770]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data", "command":"ll"}
May  9 09:46:39 dev-myapp-was-01 bash_logger[49800]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data/backup", "command":"cd backup/"}
May  9 09:46:39 dev-myapp-was-01 bash_logger[49816]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data/backup", "command":"ll"}
May  9 09:46:41 dev-myapp-was-01 bash_logger[49832]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data/backup/logs", "command":"cd logs/"}
May  9 09:46:41 dev-myapp-was-01 bash_logger[49848]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data/backup/logs", "command":"ll"}
May  9 09:46:43 dev-myapp-was-01 bash_logger[49863]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/pjw", "command":"cd "}
May  9 09:46:44 dev-myapp-was-01 bash_logger[49878]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home", "command":"su - pjw "}
Bash
복사

grep 예시 1

[root@dev-myapp-was-01 apple]# grep 'bash_logger'  /var/log/messages
May  8 11:28:59 dev-myapp-was-01 bash_logger[5981]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"source /etc/profile"}
May  8 11:29:09 dev-myapp-was-01 bash_logger[6043]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"ll"}
May  8 11:29:13 dev-myapp-was-01 bash_logger[6091]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"./myappctl log web"}
May  8 11:29:16 dev-myapp-was-01 bash_logger[6135]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple/tomcat", "command":"cd tomcat"}
May  8 11:29:17 dev-myapp-was-01 bash_logger[6179]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple/tomcat/logs", "command":"cd logs/"}
May  8 11:29:17 dev-myapp-was-01 bash_logger[6223]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple/tomcat/logs", "command":"ll"}
May  8 11:29:18 dev-myapp-was-01 bash_logger[6266]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple/tomcat", "command":"cd .."}
May  8 11:29:24 dev-myapp-was-01 bash_logger[6355]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data/apache", "command":"cd /data/apache/"}
May  8 11:29:25 dev-myapp-was-01 bash_logger[6398]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"cd -"}
May  8 11:30:03 dev-myapp-was-01 bash_logger[6486]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"vi /var/log/messages"}
ay  9 09:46:14 dev-myapp-was-01 bash_logger[49572]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/root", "command":"TMOUT=0"}
May  9 09:46:14 dev-myapp-was-01 bash_logger[49588]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/root", "command":"df -h"}
May  9 09:46:14 dev-myapp-was-01 bash_logger[49603]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"cd /home/apple"}
May  9 09:46:14 dev-myapp-was-01 bash_logger[49619]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple", "command":"ls -trl"}
May  9 09:46:18 dev-myapp-was-01 bash_logger[49636]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home", "command":"cd /home"}
May  9 09:46:19 dev-myapp-was-01 bash_logger[49652]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home", "command":"ll"}
May  9 09:46:24 dev-myapp-was-01 bash_logger[49723]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/pjw", "command":"ll"}
May  9 09:46:26 dev-myapp-was-01 bash_logger[49738]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/pjw", "command":"pwd"}
May  9 09:46:29 dev-myapp-was-01 bash_logger[49754]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data", "command":"cd /data"}
May  9 09:46:29 dev-myapp-was-01 bash_logger[49770]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data", "command":"ll"}
May  9 09:46:39 dev-myapp-was-01 bash_logger[49800]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data/backup", "command":"cd backup/"}
May  9 09:46:39 dev-myapp-was-01 bash_logger[49816]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data/backup", "command":"ll"}
May  9 09:46:41 dev-myapp-was-01 bash_logger[49832]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data/backup/logs", "command":"cd logs/"}
May  9 09:46:41 dev-myapp-was-01 bash_logger[49848]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/data/backup/logs", "command":"ll"}
May  9 09:46:43 dev-myapp-was-01 bash_logger[49863]: {"date":"20250509", "user":"pjw", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/pjw", "command":"cd "}
May  9 09:46:44 dev-myapp-was-01 bash_logger[49878]: {"date":"20250509", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home", "command":"su - pjw "}
Bash
복사

grep 예시 2

[root@dev-myapp-was-01 apple]# grep 'bash_logger'  /var/log/messages | grep 20250508 | grep tomcat
May  8 11:29:16 dev-myapp-was-01 bash_logger[6135]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple/tomcat", "command":"cd tomcat"}
May  8 11:29:17 dev-myapp-was-01 bash_logger[6179]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple/tomcat/logs", "command":"cd logs/"}
May  8 11:29:17 dev-myapp-was-01 bash_logger[6223]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple/tomcat/logs", "command":"ll"}
May  8 11:29:18 dev-myapp-was-01 bash_logger[6266]: {"date":"20250508", "user":"root", "tty":"/dev/pts/1", "ip":"192.168.0.9", "directory":"/home/apple/tomcat", "command":"cd .."}
Bash
복사