Where is the log of used commands in Linux?
command provides the list of commands we used previously but its limit is less. New commands are overwritten on old commands then old commands are missing. I think somewhere the log of the commands is stored in the system. Is that log available to open and read? If possible can we change the maximum size of log that it can handle? Is the output of history command depends upon the login-user?
5 Answers 5
A simple solution is to increase the number of commands saved and returned by history . If you use bash, add this line to your ~/.profile :
export HISTSIZE=100000 export HISTFILESIZE=999999
HISTFILESIZE The maximum number of lines contained in the history file. When this variable is assigned a value, the history file is trun‐ cated, if necessary, to contain no more than that number of lines by removing the oldest entries. The history file is also truncated to this size after writing it when a shell exits. If the value is 0, the history file is truncated to zero size. Non-numeric values and numeric values less than zero inhibit truncation. The shell sets the default value to the value of HISTSIZE after reading any startup files. HISTSIZE The number of commands to remember in the command history (see HISTORY below). If the value is 0, commands are not saved in the history list. Numeric values less than zero result in every command being saved on the history list (there is no limit). The shell sets the default value to 500 after reading any startup files.
@gafoor yes, the history file I mention in my answer. Nothing else by default. If you set the variables I shows, you will keep a list of thousands of commands.
The file ~/.bash_history saves the list of executed commands. At least in CentOS this file exists, I don’t know if it exists in other distros.
@AbdulGafoor yes, but that’s what you see when you run history . It will only have as many commands as those returned by history . To keep more, you need to set the variables I show in my answer.
This file also exists in Mac OSX. You can type vim ~/.bash_history to see the contents of the file under Mac.
It’s the HISTFILE variable which sets the location history file, which by default (for bash) is ~/.bash_history
There is no such log, at least not by default.
There are tools you can install, like acct («GNU Accounting utilities for process and login accounting») which can keep track of all programs executed on the system.
acct is packaged for most (probably all except tiny-distros) linux distros. The home page is at http://www.gnu.org/software/acct/
acct provides the following commands, lastcomm probably does what you’re asking for:
ac prints statistics about users’ connect time. ac can tell you how long a particular user or group of users were connected to your system, printing totals by day or for all of the entries in the wtmp file.
accton turns accounting on or off.
lastcomm lists the commands executed on the system, most recent first, showing the run state of each command. With last, you can search the acct file for a particular user, terminal, or command.
sa summarizes the information in the acct file into the savacct and usracct file. It also generates reports about commands, giving the number of invocations, cpu time used, average core usage, etc.
dump-acct dump-utmp display acct and utmp files in a human-readable format.
Logging terminal commands
Assuming you’re doing this for security purposes, take a look at process accounting. You didn’t say which UNIX variant you’re on, but for Linux, take a look at http://www.gnu.org/software/acct/ Beware that you will generate a lot of data as process accounting writes data about every command run system wide (its a kernel feature). Your distro probably has the utilities already; in Debian check the ‘acct’ package.
If you’re just trying to log what you did so you can go back and look at it later, script (as in the other answer) or screen (with -L) will provide a better solution. However, they will not work for security auditing because its trivial to bypass them: just run a shell script. Also, line editing makes a royal mess of the files. Curses apps (like, say, a text editor) are even worse.
Also, if you force your users through e.g., script, you may wind up capturing information (e.g., email messages) which it may be illegal for you to intercept.
One more option — sudosh or other equivalents. Not sure that they provide much benefit compared to script, but probably worthy of mention.
Process accounting is the way to go, despite it sucking up lots of disk space. It’s not something I’d leave running unless you have a very grunty box but it’s very useful for problem solving since it basically tracks every process, a claim the simpler «snapshot of ps» tools can’t match.
You basically turn it on with accton /var/account/pacct and the kernel then writes details of every process that exits, including:
- process name (not args, unfortunately).
- start time.
- elapsed time.
- user and system CPU times.
- exit code.
- memory, I/O, fault and swap statistics.
- process ID.
- parent process ID.
You shut it down with a naked accton so all you people who laughed at Windows for using a Start button to shut down, HAH !! 🙂
There are two variants of records that can be logged, v1 and v3 — make sure you’re using the latest process accounting software and v3 records as they hold more useful information. The /usr/include/linux/acct.h file shows what you can get from there.
The records are all fixed size (regardless of version) and easy to process.
We’ve just recently finished a Linux agent for our performance monitoring software — I thought I’d jot this down while it’s still fresh in my memory.
One thing to watch out for are the comp_t fields — these are actually a weird exponent/mantissa type for holding a large range of values in 16 bits — the algorithm is pretty simple for turning it into a long:
Another thing is that some values are in clock ticks, not seconds, so you have to divide by the value returned by sysconf (_SC_CLK_TCK) .
I would like to create a log of all commands typed in terminal
I would like to have a log of all command that are typed on the terminal. I have check «script» but this generates a file with the commands and the responds all together. Is there a way to have the commands only?
5 Answers 5
If you are using the defaullt shells all the commands are already logged to $HOME/.bash_history . There are several environment variables which affect the history keeping, you can read about those with:
If you want to apply the setting to all users edit /etc/profile.
Everything a user types into the terminal by hand is saved into ~/.bash_history , where ~ is shorthand for the currenly logged in user’s home directory. Note also that files beginning with a . are hidden; in Nautilus, you can show them by hitting Ctrl + H .
Take a look at it by typing
To view your history, annotated with sequential numbers, type
You can execute commands you see there again by typing !2129 , for example, which would execute command number 2129 as shown by the history command.
Note that the history command shows you up to the second logs, wheras .bash_history is only saved after you log off from the terminal.
Little piece of interesting information:
- Commands that begin with a space are not saved to .bash_history . If you run a command like rm -R mydir/ , you may want to prefix it with a space to prevent accidentally running it again by hitting the up-arrow.
As Joāo says, the size of the saved history can be controlled with export HISTFILESIZE=5000 .