Last active
December 17, 2025 17:09
-
-
Save jdavidrcamacho/8ebefcf6003bae2fc05feb798093e825 to your computer and use it in GitHub Desktop.
Steps to perform to collect logs to the GA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Install fluent-package v6 LTS: | |
| sudo apt update | |
| curl -fsSL https://fluentd.cdn.cncf.io/sh/install-ubuntu-noble-fluent-package6-lts.sh | sudo sh | |
| # Make sure the service is up and running: | |
| sudo systemctl enable --now fluentd | |
| sudo systemctl status fluentd | |
| # Replace the definitions at /etc/fluent/fluentd.conf with this config: | |
| <system> | |
| log_level info | |
| </system> | |
| <source> | |
| @type tail | |
| path /var/log/commands.log | |
| pos_file /var/log/fluentd/commands.pos | |
| tag shell_commands | |
| <parse> | |
| @type none | |
| </parse> | |
| read_from_head true | |
| refresh_interval 1s | |
| </source> | |
| <match shell_commands cmdlog> | |
| @type copy | |
| <store> | |
| @type stdout | |
| </store> | |
| <store> | |
| @type forward | |
| send_timeout 10s | |
| recover_wait 10s | |
| heartbeat_type tcp | |
| heartbeat_interval 1s | |
| flush_interval 1s | |
| <server> | |
| host 10.50.20.9 | |
| port 24224 | |
| </server> | |
| </store> | |
| </match> | |
| # Then in the terminal do: | |
| sudo touch /var/log/commands.log | |
| sudo mkdir -p /var/log/fluentd | |
| # To ensure files/dirs exist, then do: | |
| sudo chmod 644 /var/log/commands.log | |
| sudo chmod 777 /var/log/fluentd | |
| # To allow any user to read the log and Fluentd to write its pos file. Then restart and test: | |
| sudo systemctl restart fluentd | |
| sudo journalctl -u fluentd -f | |
| # And in a new terminal: | |
| echo "Hello world from a test VM" | sudo tee -a /var/log/commands.log | |
| # Now to collect terminal commands do edit /etc/bash.bashrc (this file is sourced for all interactive shells): | |
| sudo nano /etc/bash.bashrc | |
| # Scroll to the bottom and paste this block: | |
| # Command logger for Fluentd | |
| if [ -n "$PS1" ] && [ -z "$BASH_COMMAND_LOGGER_SET" ]; then | |
| export BASH_COMMAND_LOGGER_SET=1 | |
| shopt -s histappend | |
| export HISTTIMEFORMAT="%F %T " | |
| LOG_FILE="/var/log/commands.log" | |
| LOG_HOST="$(hostname)" | |
| LOG_IP="$(hostname -I 2>/dev/null | awk '{print $1}')" | |
| PROMPT_COMMAND='LAST_CMD=$(HISTTIMEFORMAT= history 1 | sed "s/^ *[0-9]\+ *//"); \ | |
| printf "%s host=%q ip=%q user=%q tty=%q pwd=%q cmd=%q\n" "$(date --iso-8601=seconds)" "$LOG_HOST" "$LOG_IP" "$USER" "$(tty 2>/dev/null)" "$PWD" "$LAST_CMD" >> "$LOG_FILE"; \ | |
| history -a' | |
| fi | |
| # Save and exit. In a new terminal do | |
| sudo usermod -aG cmdlog $USER | |
| ls -l /var/log/commands.log | |
| sudo chgrp cmdlog /var/log/commands.log | |
| sudo chmod 666 /var/log/commands.log | |
| # Not sure why but I tried so many things, and this seemed to have some effect. | |
| # Log out and log in to Ubuntu. Open a terminal and start typing the commands should now be saved in the /var/log/test.log file. You can check them by doing | |
| sudo nano /var/log/commands.log |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment