Bash Logger
How to log all user shell history to a specific file using syslog-ng hooks
Log all commands to /var/log/bash.log via syslog-ng.conf
Add below to /etc/syslog-ng/syslog.conf
###########################################################################
# Bash Logger
###########################################################################
# Filter messages from PROMPT_COMMAND
filter f_bashlogger_user { message("USER="); };
# Destination
destination d_bash_user {
file("/var/log/bash.log"
template(template_date_format)
owner("root") group("root") perm(0640)
create_dirs(yes));
};
# Log path
log {
source(s_local);
filter(f_bashlogger_user);
destination(d_bash_user);
};
Now restart syslog-ng: /etc/init.d/syslog-ng restart
Add below to ~/.bashrc
if [[ $- == *i* ]]; then
if [[ -z "$PROMPT_COMMAND" ]]; then
export PROMPT_COMMAND='history 1 | { read _ cmd; cmd="${cmd#*- }"; logger -p user.info "[USER=$(whoami) | UID=$(id -u) | PID=$$]: CMD=$cmd"; }'
else
export PROMPT_COMMAND="$PROMPT_COMMAND; history 1 | { read _ cmd; cmd=\"\${cmd#*- }\"; logger -p user.info \":[USER=\$(whoami) | UID=\$(id -u) | PID=\$\$]: CMD=\$cmd\"; }"
fi
fi
Now you should see something similiar in /var/log/bash.log
cat /var/log/bash.log
[2026-02-13 | 05:18:57 | localhost]: :[USER=root | UID=0 | PID=5428]: CMD=:> /var/log/bash.log
[2026-02-13 | 05:18:59 | localhost]: :[USER=wuseman | UID=1000 | PID=5390]: CMD=su
[2026-02-13 | 05:18:59 | localhost]: :[USER=wuseman | UID=1000 | PID=5390]: CMD=su
[2026-02-13 | 05:19:02 | localhost]: :[USER=root | UID=0 | PID=5551]: CMD=:> /var/log/bash.log
[2026-02-13 | 05:19:03 | localhost]: :[USER=root | UID=0 | PID=5551]: CMD=cat /var/log/bash.log