Patrick Bareiss

In this blog post, I will cover some recommendations for monitor executed bash commands in Linux using Splunk. After reviewing and testing multiple solutions, I found one solution which do the job perfectly and is easy to configure.

The solution is that we add a line in /etc/bashrc and then all the commands executed in a bash shell is written to /var/log/messages. In order to do that, add the following line in /etc/bashrc :

PROMPT_COMMAND='logger -i -p local5.info -t bash "$USER $(tty): $(history 1)"'

With the following Splunk inputs.conf configuration, we are able to monitor /var/log/messages :

[monitor:///var/log]
index = unix
whitelist=(messages)
disabled = 0

Thank you for reading. Now you can use bash commands as log source for Security Use Cases.