Monitoring Linux Command Executions A Comprehensive Guide

How to log executions of specific commands on Linux


As system administrators, it is crucial to maintain strict control over the commands executed on a Linux system to ensure security and accountability. By logging the executions of specific commands, administrators can track user activities, identify potential security breaches, and troubleshoot issues effectively. In this article, we will explore various methods to log the executions of specific commands on Linux, providing insights into monitoring, auditing, and enhancing the overall security of your system.

Understanding Auditing and Logging

Auditing involves tracking and recording events that occur on a system. In Linux, the audit system is a powerful tool that allows administrators to log events related to the kernel, processes, and user activities. To start monitoring command executions, you need to enable auditing.

Enabling Auditing on Linux

To enable auditing, first, ensure that the audit daemon (auditd) is installed and running on your system. You can install it using your package manager


sudo apt install auditd  # On Debian/Ubuntu

sudo yum install audit  # On CentOS/RHEL


Next, start and enable the auditd service:


sudo systemctl start auditd

sudo systemctl enable auditd


Defining Audit Rules

With auditing enabled, you can define specific audit rules to log command executions. Audit rules are written in the `/etc/audit/audit.rules` file. To monitor a particular command, you need to add a rule that captures its execution.

For example, to monitor the `ls` command, add the following rule


sudo echo “-a always,exit -F path=/usr/bin/ls -F auid>=1000 -F auid!=4294967295 -k command_executions” >> /etc/audit/audit.rules


In this rule, we specify that whenever the `ls` command is executed by a user with an ID greater than or equal to 1000 (auid>=1000) and not by the system itself (auid!=4294967295), the event should be logged and associated with the key “command_executions.”

Reloading Audit Rules

After adding or modifying audit rules, reload the rules for them to take effect:


sudo systemctl restart auditd


Viewing Audit Logs

The logged events are stored in `/var/log/audit/audit.log`. To view these logs, you can use the `ausearch` and `aureport` utilities.

To check for all logged command executions


sudo ausearch -k command_executions


Generating Detailed Reports

The `aureport` tool generates detailed reports from audit logs. To generate a report on command executions


sudo aureport –exec


This report will present a summary of commands executed, along with timestamps and user information.

Logging Multiple Commands

To log multiple commands, add individual rules for each command of interest. Alternatively, you can use wildcards to capture multiple commands with a single rule. For instance, to log all commands within `/usr/bin`


sudo echo “-a always,exit -F path=/usr/bin/* -F auid>=1000 -F auid!=4294967295 -k command_executions” >> /etc/audit/audit.rules


Managing Log Rotation

Audit logs can grow significantly, so it’s essential to implement log rotation to manage disk space efficiently. To configure log rotation, edit the `/etc/audit/auditd.conf` file


sudo nano /etc/audit/auditd.conf


Modify the `max_log_file` parameter to set the maximum log file size, and the `num_logs` parameter to specify the number of rotated log files to keep.

Centralized Logging

For larger environments, consider implementing centralized logging with tools like Elasticsearch, Logstash, and Kibana (ELK stack). This approach allows you to store and analyze logs from multiple systems in a centralized location, simplifying monitoring and analysis.


How do I log every command executed by a user?

In order to keep track of all user commands, we must alter the shell configuration file to set the PROMPT_COMMAND environment variable. Most importantly, PROMPT_COMMAND is a unique variable that allows command execution before the shell prompt appears. This will enable command logging for all bash shells.

How to log all sudo commands?

The log_input and log_output parameters enable sudo to run a command in pseudo-tty and log all user input and all output sent to the screen receptively. The default I/O log directory is /var/log/sudo-io, and if there is a session sequence number, it is stored in this directory.


In conclusion, logging the executions of specific commands on a Linux system is a crucial security practice. By enabling auditing, defining audit rules, and monitoring logs, administrators can gain valuable insights into user activities, detect unauthorized actions, and bolster the overall security of their systems. Additionally, implementing log rotation and centralized logging can enhance efficiency and streamline the auditing process. By following these guidelines, system administrators can maintain a secure and well-monitored Linux environment.

Read Also : How to Make Buffer Recognize File Moves and Enhance Productivity