Enable Audit logging on linux


To enable audit logging on linux to record commands.

Add the below to the /etc/pam.d/system-auth

session required pam_tty_audit.so enable=*

Once done run the below command to view the output

ausearch -ts today -m tty -i

To filter the output further add the below.

ausearch -ts today -m tty -i |grep id=user | cut -d '=' -f3,5,6,10
Advertisements