Question: How to log every user command executed with or without sudo and forwarding this logs to a central log file?
To configure the auditd for logging all user commands please follow the below action plan.
1. Use yum to install the audit package:
# yum install audit
2. To start automatically the auditd service at boot time:
# chkconfig auditd on
3. add the following lines to /etc/audit/audit.rules.
# vi /etc/audit/audit.rules -a exit,always -F arch=b64 -S execve -a exit,always -F arch=b32 -S execve
4. Start the service:
# service auditd start
By this way auditd logs all user commands to /var/log/audit/audit.log by default. You can change the configuration by editing “/etc/audit/auditd.conf“.