There are two methods to send a copy of all commands executed by users to syslog. One of these methods requires to modify bash source code. Therefore, we just focus on another method which does not need any modification in this article.
To log bash history to a syslog server, you can use the trap feature provided by Bash. Add following lines into either the per-user or system-wide bash profile; ~/.bash_profile and /etc/profile, respectively.
command=$(fc -ln -0)
if [ "$command" != "$old_command" ]; then
logger -p local1.notice -t bash -i -- $USER : "$command"
# if you want to avoid the function be overwritten, comment out the following line
# readonly -f history_to_syslog
trap history_to_syslog DEBUG
Note: This resolution spawns new process at each command logged, so it might be not a best solution if your system is in a heavy load. And users can read both bash profiles, ~/.bash_profile and /etc/profile.
To save this log message into a particular log file, add below line in /etc/syslog.conf (RHEL4/5) or /etc/rsyslog.conf (RHEL6):
Run below command to apply this change:
Red Hat Enterprise Linux 4/5
# service syslog restart
Red Hat Enterprise Linux 6