#用户命令收集记录   https://www.cnblogs.com/kevingrace/p/5570411.html   环境CentOS 7 yum install rsyslog -y   一,服务端 [root@server ]# cat /etc/rsyslog.conf|grep -v "#"|grep -v "^$" # 开启udp $ModLoad imudp # 开启端口号 $UDPServerRun 514 $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # 根据远程主机目录并写入记录 $template Remote,"/data/logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" # 屏蔽本机命令记录 :fromhost-ip, !isequal, "127.0.0.1" ?Remote   $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state authpriv.* /var/log/secure mail.err -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log *.info;mail.none;authpriv.none;cron.none;auth.none;local6.none; /var/log/messages local0.* /var/log/keepalived.log local6.info /var/log/.history.log local4.* /var/log/history.log

```

  二,客户端 [root@client ~]# cat /etc/rsyslog.conf|grep -v "#"|grep -v "^$" $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state authpriv.* /var/log/secure mail.err -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log *.info;mail.none;authpriv.none;cron.none;auth.none;local6.none; /var/log/messages local0.* /var/log/keepalived.log local6.info /var/log/.history.log # 最后增加 local5.* @172.16.58.21   # 客户端加入 # 客户端/etc/profile和/etc/bashrc都加入(SSH 登录默认为非shell登录方式，而非shell登录方式执行的是bashrc脚本初始化环境变量。而shell登录方式则是执行的是profile脚本初始化环境变量。) export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'