Nagios Support Forum

Hello,

How could I show the monitored log in one of dashboard fields.
I am monitoring .bash_history and showing the path that shows username would be very helpful.

thanks,
Gader

Hello @exp-user1

Thanks for reaching out and want to check into this a bit more to see if this is possible.

Want to see an example output of your bash_history that you are interested in parsing so we can run through to see if can be done.

Thanks,
Perry

Hi pbroste,

I added the files "/home/*/.bash_history" (* represents many user_names) to be monitored by Nagios LS. However, I only see the commands history in message field, but I couldn't know which user are those commands for.


thanks,

Hello @expertus

Thanks for following up with the details, looks like you are pulling history over and filtering for the user. I mentioned your case to our team during our stand-up this morning and the following questions came up. Question, are you pulling individual rsyslog.d file or multiple? Can you also post the definition so we can see what is currently has been defined while we look for what can be done.

Thanks,
Perry

Hello,

I used Linux files to add multiple .bash_history files as source log.


Thanks.

Hello @expertus

I took some time today and spun up a log server vm test instance. I have a couple of questions and examples on what I did to my setup so we can collaborate further on the configuration.

On my test instance, I put the following in the '.bashrc', to make sure that it appends and the second for realtime logging. Not sure if they are needed but added them in case.
I added the following also to log to my '/var/log/messages; since that is where 'local1.notice' is logging. Options to create localx.notice in rsyslog into separate log
Here is an example of what I currently see, in my example root was running all the commands.
Let us know how your tinkering goes so we can dial things in on this,
Perry

Thanks pbroste for your reply,

where did you add?

trap 'logger -p local1.notice -t bash -i -- "${USER}":"$BASH_COMMAND"' DEBUG

in /etc/rsyslog.conf ?

Moreover, we already have the line below to send all logs "*.*" to Nagios log server:
*.* @@logcollector:5544

why should we add local1.notice ?

Regards,
Expertus.

Hello @exp-user1

Thanks for following up, to further this we did move logger to local7.* on my test environment by setting up, here we are setting up to log bash_history into it's own '/var/log/bash.log'.

local6.* /var/log/bash.log

Restarting rsyslog to update config: Starting this line: trap 'logger -p local7.notice -t bash -i -- "${USER}":"$BASH_COMMAND"' DEBUG in ~/.bash_profile for this example, or similar per your system environment.

Thanks,
Perry

Hello pbroste,

I was able to see bash commands on Nagios log server after adding the following config: and added the line " trap 'logger -p local7.notice -t bash -i -- "${USER}":"$BASH_COMMAND"' DEBUG" in /etc/bashrc to make it reflected on all users (using bash).

but I keep seeing " PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"'"


check attached file from the logserver side. command history is OK in green, but why it is showing also the printf line?
THanks.

Hello @exp-user1

I noticed that as well on my test VM and made the following changes and no longer receive the 'root printf...' logline. I also setup logging on root and testuser.

The .bash_profile:

shopt -s histappend
PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
trap 'logger -p local5.info -t bash -i -- "${USER}":"$BASH_COMMAND"' DEBUG

Logging to /var/log/bash.log contains this line:

local5.info /var/log/bash.log

The results: Thanks,
Perry