Good morning,
I would like to have a reassembly of the commands type on linux live and put them in a table, the problem I can't already find how to reassemble the commands.
Thanks for your future help.
Welcome to our community! 
It's not really clear what you are referring to here, are you able to add more information?
yes of course, I would like to have a reassembled of the "bash_history" or similar to have on my kibana a dashboard where we see the commands type on the linux server
You could use Auditd module | Filebeat Reference [8.7] | Elastic or Auditbeat Reference [8.7] | Elastic for that.
yes I had already taken note of his tools, but I have a little advanced on my side and I have a start but not what I want either
I configured auditd with this config:
-a always,exit -F arch=b32 -S execve
-a always,exit -F arch=b64 -S execve
and by processing it I get this:
but I would like a result that comes closest to "bash_history", if you have any ideas
The only other way I could think would be to use Filebeat and monitor every instance of the .bash_history file you can find.
I found a solution, I add this command line
PROMPT_COMMAND='history -a >(logger -t "bash_history[$USER]")'
in the bashrc, this command allows to transfer each command in the syslog then I recover with filebeat.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.