I want to collect Linux terminal commands logs

[Süleyman Pamuk]

Hi everyone
I want to collect some Linux client terminal commands logs from " ~/.bash_history" path. I saw different 2 topics and i tried them, but they didn't work.

https://groups.google.com/g/wazuh/c/NDubqeN8ujg/m/_jSxge_CAQAJ

https://github.com/wazuh/wazuh/issues/5757

Could you help me about this topic?

[Juan Cabrera]

Hello Süleyman Pamuk,

I am checking why the localfile is failing to use the ~ symbol in the path.

Can you tell me which version of Wazuh you are using?

On the other hand, could you tell me if you collect the logs using the full path instead of ~? You would have to change ~/.bash_history to /home/USER/.bash_history.

Regards,
Juan Cabrera

​

[Süleyman Pamuk]

Hi Juan

I'm using 4.3.3 version for wazuh.  About "~" symbol, i want to collect different users logs so i'm using  "~" symbol.

Thank you for help

19 Ekim 2022 Çarşamba tarihinde saat 12:57:06 UTC+3 itibarıyla Juan Cabrera şunları yazdı:

[Fabio Zuber]

`~` maps to the current user home. I'm not sure which user is used for the agent, but using `/home/*/.bash_history` is probably safe.

Just in case: Here are the docs for the location wildcard patterns https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#location.

[Juan Cabrera]

As Fabio has indicated, the use of  ~ is only for the running user, not for everyone. You would have to use wildcards for your case.

Remember that the root user does not have his files in home like the rest, you should use /root/.bash_history.

Regards,
Juan Cabrera

​