我希望远程执行一个命令并在远程机器上观察它的日志。
假设我在本地执行:ssh app_81 ls /
app_81
我想在框中查看该命令的日志。但是,我只看到登录的日志,而看不到正在运行的命令的日志:
ubuntu@ip-10-0-1-81:/var/log$ ll -ltr | tail -n 3 -rw-rw-r-- 1 root utmp 292292 Apr 5 16:44 lastlog -rw-r----- 1 syslog adm 21000 Apr 5 19:10 auth.log -rw-r----- 1 syslog adm 21760 Apr 5 19:14 syslog ubuntu@ip-10-0-1-81:/var/log$ tail syslog Apr 5 19:10:16 ip-10-0-1-81 dhclient[916]: DHCPREQUEST of 10.0.1.81 on eth0 to 10.0.1.1 port 67 (xid=0x23563ebf) Apr 5 19:10:16 ip-10-0-1-81 dhclient[916]: DHCPACK of 10.0.1.81 from 10.0.1.1 Apr 5 19:10:16 ip-10-0-1-81 root: /etc/dhcp/dhclient-enter-hooks.d/samba returned non-zero exit status 1 Apr 5 19:10:16 ip-10-0-1-81 dhclient[916]: bound to 10.0.1.81 -- renewal in 1651 seconds. Apr 5 19:10:17 ip-10-0-1-81 systemd[1]: Started Session 1731 of user ubuntu. Apr 5 19:10:40 ip-10-0-1-81 systemd[1]: Started Session 1732 of user ubuntu. Apr 5 19:14:15 ip-10-0-1-81 systemd-timesyncd[20400]: Timed out waiting for reply from 91.189.89.198:123 (ntp.ubuntu.com). Apr 5 19:14:25 ip-10-0-1-81 systemd-timesyncd[20400]: Timed out waiting for reply from 91.189.89.199:123 (ntp.ubuntu.com). Apr 5 19:14:36 ip-10-0-1-81 systemd-timesyncd[20400]: Timed out waiting for reply from 91.189.91.157:123 (ntp.ubuntu.com). Apr 5 19:14:46 ip-10-0-1-81 systemd-timesyncd[20400]: Timed out waiting for reply from 91.189.94.4:123 (ntp.ubuntu.com). ubuntu@ip-10-0-1-81:/var/log$ tail auth.log Apr 5 19:10:17 ip-10-0-1-81 sshd[10352]: Disconnected from 10.0.0.80 port 43764 Apr 5 19:10:17 ip-10-0-1-81 sshd[10320]: pam_unix(sshd:session): session closed for user ubuntu Apr 5 19:10:17 ip-10-0-1-81 systemd-logind[1122]: Removed session 1731. Apr 5 19:10:40 ip-10-0-1-81 sshd[10367]: Accepted publickey for ubuntu from 10.0.0.80 port 43766 ssh2: RSA SHA256:OhHSoIWEYhfqaIYaE5tNvgZMPY3AEYgJDv4c1H/Gxm8 Apr 5 19:10:40 ip-10-0-1-81 sshd[10367]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0) Apr 5 19:10:40 ip-10-0-1-81 systemd-logind[1122]: New session 1732 of user ubuntu. Apr 5 19:10:41 ip-10-0-1-81 sshd[10401]: Received disconnect from 10.0.0.80 port 43766:11: disconnected by user Apr 5 19:10:41 ip-10-0-1-81 sshd[10401]: Disconnected from 10.0.0.80 port 43766 Apr 5 19:10:41 ip-10-0-1-81 sshd[10367]: pam_unix(sshd:session): session closed for user ubuntu Apr 5 19:10:41 ip-10-0-1-81 systemd-logind[1122]: Removed session 1732.
是不是根本没有记录,还是我没有在正确的地方查找?
答案1
这是正确的行为。SSH 不会记录发出的命令(除了用于su
更改用户的命令)。
如果您希望记录命令,那么您应该对所有命令使用 sudo。
用户的 BASH 历史记录也将捕获该活动。