List command line history with timestamp
October 16th, 2008 mysurface Posted in Common, history, last | Hits: 191342 | 20 Comments »
History is a common command for shell to list out all the executed commands. It is very useful when it comes to investigation on what commands was executed that tear down the server. With the help of last command, you be able to track the login time of particular user as well as the the duration of the time he/she stays login.
last
...
mysurface tty7 :0 Mon Oct 6 20:07 - down (00:00)
reboot system boot 2.6.24.4-64.fc8 Mon Oct 6 20:06 (00:00)
mysurface pts/8 10.168.28.44 Mon Oct 6 17:42 - down (01:58)
mysurface pts/7 :0.0 Mon Oct 6 17:41 - 19:40 (01:59)
mysurface pts/6 :0.0 Mon Oct 6 17:27 - 19:40 (02:13)
mysurface pts/5 :0.0 Mon Oct 6 17:27 - 19:40 (02:13)
mysurface pts/5 :0.0 Mon Oct 6 15:52 - 15:59 (00:07)
...If the command line history could provides the date time of the commands being executed, that may really narrow down the scope of the user actions that cause the server malfunction. By default, history do not append with timestamp, but it is easy to configure it to display timestamp, you just need to set one environment variable HISTTIMEFORMAT.
HISTTIMEFORMAT takes format string of strftime. Check out the strftime manual to choose and construct the timestamp that suit your taste. My favorite is “%F %T “.
export HISTTIMEFORMAT="%F %T "Execute history again and you will see the effect on the spot, bare in mind that the timestamp for command lines that executed at previous sessions may not valid, as the time was not tracked.
...
994 2008-10-16 02:27:40 exit
995 2008-10-16 01:12:20 iptables -nL
996 2008-10-16 01:47:46 vi .bash_profile
997 2008-10-16 01:47:55 history
998 2008-10-16 01:48:03 . .bash_profile
999 2008-10-16 01:48:04 history
1000 2008-10-16 01:48:09 exit
1001 2008-10-16 02:27:43 history
...I would suggest you to put the export into ~/.bash_profile as well as /root/.bash_profile. In case you do not have .bash_profile, you can choose to put into ~/.bashrc.
Don’t mess up my servers! Your actions will be track!
October 21st, 2008 at 1:31 pm
hope this may help..
:)
November 4th, 2008 at 1:50 pm
Nice and clean website. Lots of useful articles too.
Thanks for the tips.
January 19th, 2009 at 11:35 am
This is a very useful information.Thanks a lot
March 13th, 2009 at 9:32 pm
Thanks,
Very usefull tip. Keep them cuming(oops, :) I mean coming)… lol
March 13th, 2009 at 9:34 pm
Thanks, but I am using tcsh shell. I googled around
and there seems to be no easy way in the tcsh shell.
Somebody has an idea?
Uwe Brauer
June 29th, 2009 at 12:30 pm
Yes it help me lot, certification.
August 5th, 2009 at 1:13 am
This only works on BASH 3.0 and up.
bash –version to find out.
August 14th, 2009 at 10:08 pm
If you use SSH to access the servers, you can set up a forced command which uses “script” to record the SSH session on the server. You can also use “tee” to record sessions from the client end.
http://www.jms1.net/ssh-record.shtml
I’ve always wondered why somebody doesn’t just write some code into execve() which logs a copy of the command line for every new process…
December 2nd, 2009 at 1:30 am
nice one
December 2nd, 2009 at 1:34 am
hi
i have a problem , i need to show only last weeks all the process or command i have run in Linux. i don know how to filter only those commands. i have tried HISTORY command with several options but cannot. please help me to get out of this problem.
June 16th, 2010 at 11:02 pm
If you want the complete time stamps like this:
1051 : Wed 16 Jun 2010 08:27:30 PM IST : df -h
then do enter the following in /etc/profile file
export HISTTIMEFORMAT=”: %c : “
November 19th, 2010 at 1:14 am
export HISTTIMEFORMAT=”%d %m %T ”
day month time command
December 10th, 2010 at 6:45 pm
thanks.it was of great help
February 12th, 2011 at 12:13 am
Nice info – btw, i like your template, nice.. thanks :)
February 21st, 2011 at 5:41 pm
Thank A Lot………
Works Great !!!!!!!!
March 8th, 2011 at 5:25 pm
lot of helpful,good work.
April 30th, 2011 at 2:30 am
That’s good stuff. Thank you.
May 30th, 2011 at 2:45 pm
Thanks for the clean and straight information.
September 23rd, 2012 at 7:49 am
here are some more examples like the ones shown above:
export HISTTIMEFORMAT=”%a %h %d – %r ”
will display:
457 Sat Sep 22 – 07:37:28 PM asdsa
458 Sat Sep 22 – 07:37:29 PM history
export HISTTIMEFORMAT=”%A %h %d – %r ”
will display:
459 Saturday Sep 22 – 07:39:53 PM sdfsad
460 Saturday Sep 22 – 07:39:54 PM history
export HISTTIMEFORMAT=”%A %B %d – %r ”
will display
459 Saturday September 22 – 07:39:53 PM sdfsad
460 Saturday September 22 – 07:39:54 PM history
April 10th, 2013 at 12:12 pm
Wholesale Cheap 1:1 replica louis vuitton Handbags / Bags / Purses from china Online Outlet for Sale
http://tamraecst5.webs.com/ szvxqk
Wholesale Cheap 1:1 replica louis vuitton Handbags / Bags / Purses from china Online Outlet for Sale
ekwzws