jdavidrcamacho · November 24, 2025 17:05
diff --git a/EC_demo_steps.sh b/EC_demo_steps.sh
 # 1--- In the termina do

 sudo touch /var/log/commands.log
 sudo touch /var/log/outputs.log

 ### 2--- Point Fluentd at both files
 # Replace the definitions at /etc/fluent/fluentd.conf with this config: 
 <system>
  log_level info
 </system>

 # Commands typed
 <source>
  @type tail
  path /var/log/commands.log
  pos_file /var/log/fluentd/commands.pos
  tag shell_commands
  <parse>
    @type none
  </parse>
  read_from_head true
 </source>

 # Everything printed by those commands (stdout+stderr)
 <source>
  @type tail
  path /var/log/outputs.log
  pos_file /var/log/fluentd/outputs.pos
  tag shell_outputs
  <parse>
    @type none
  </parse>
  read_from_head true
 </source>

 # Send both to stdout and forward to your collector
 <match shell_commands shell_outputs>
  @type copy

  <store>
    @type stdout
  </store>

  <store>
    @type forward
    <server>
      host 10.50.20.9
      port 24224
    </server>
  </store>
 </match>




 ### 3--- Reload Fluentd:

 sudo systemctl restart fluentd
 sudo journalctl -u fluentd -f

 ### 4--- create a group that can read the logs (optional if you already use cmdlog group)
 sudo groupadd -f cmdlog
 sudo chgrp cmdlog /var/log/commands.log /var/log/outputs.log /var/log/fluentd
 sudo chmod 666 /var/log/commands.log /var/log/outputs.log
 sudo chmod 777 /var/log/fluentd
 sudo usermod -aG cmdlog $USER


 ###  5--- add to bashrc Command + Output logging for Fluentd  
 # --- Command + output logging for Fluentd ---

 COMMANDS_LOG="/var/log/commands.log"
 OUTPUTS_LOG="/var/log/outputs.log"

 # Only for interactive terminals, once per shell
 if [[ $- == *i* ]] && [ -t 1 ] && [ -z "$BASH_CMD_OUT_LOGGER_SET" ]; then
  export BASH_CMD_OUT_LOGGER_SET=1

  umask 002  # allow group-writable files (cmdlog group)

  # Per-shell state file where we store the current PWD
  CMD_PWD_STATE_FILE="/tmp/cmdpwd_${UID}_$$"

  # Function that reads command output and writes structured lines to OUTPUTS_LOG
  _log_output_to_file() {
    local state_file="$1"
    local line
    local curr_pwd

    while IFS= read -r line; do
      curr_pwd=$(cat "$state_file" 2>/dev/null || echo "?")
      printf '%s user=%q tty=%q pwd=%q output=%q\n' \
        "$(date --iso-8601=seconds)" "$USER" "$(tty 2>/dev/null)" "$curr_pwd" "$line" \
        >> "$OUTPUTS_LOG"
    done
  }

  # Send stdout+stderr through tee:
  #  - to the terminal (normal behaviour)
  #  - and through _log_output_to_file (which writes to OUTPUTS_LOG)
  exec > >(stdbuf -oL tee >( _log_output_to_file "$CMD_PWD_STATE_FILE" )) 2>&1

  shopt -s histappend
  export HISTTIMEFORMAT="%F %T "

  # Runs after each command
  _log_last_command() {
    local last_cmd
    last_cmd=$(HISTTIMEFORMAT= history 1 | sed 's/^ *[0-9]\+ *//')

    # Log the command itself
    printf '%s user=%q tty=%q pwd=%q cmd=%q\n' \
      "$(date --iso-8601=seconds)" "$USER" "$(tty 2>/dev/null)" "$PWD" "$last_cmd" \
      >> "$COMMANDS_LOG"

    # Update the "current directory" state for the output logger
    printf '%s\n' "$PWD" > "$CMD_PWD_STATE_FILE"

    history -a
  }

  PROMPT_COMMAND='_log_last_command'
 fi
 # --- End command + output logging ---

 ### 6--- Log out and back in (or exec bash) so the redirection is active.
 source ~/.bashrc

 ### 7--- Quick test:

 echo "hello from out"        # should appear on screen and in /var/log/outputs.log
 git --version                # outputs captured; command itself in /var/log/commands.log
 tail -n 5 /var/log/commands.log
 tail -n 20 /var/log/outputs.log
	# 1--- In the termina do

	sudo touch /var/log/commands.log
	sudo touch /var/log/outputs.log

	### 2--- Point Fluentd at both files
	# Replace the definitions at /etc/fluent/fluentd.conf with this config:
	<system>
	log_level info
	</system>

	# Commands typed
	<source>
	@type tail
	path /var/log/commands.log
	pos_file /var/log/fluentd/commands.pos
	tag shell_commands
	<parse>
	@type none
	</parse>
	read_from_head true
	</source>

	# Everything printed by those commands (stdout+stderr)
	<source>
	@type tail
	path /var/log/outputs.log
	pos_file /var/log/fluentd/outputs.pos
	tag shell_outputs
	<parse>
	@type none
	</parse>
	read_from_head true
	</source>

	# Send both to stdout and forward to your collector
	<match shell_commands shell_outputs>
	@type copy

	<store>
	@type stdout
	</store>

	<store>
	@type forward
	<server>
	host 10.50.20.9
	port 24224
	</server>
	</store>
	</match>




	### 3--- Reload Fluentd:

	sudo systemctl restart fluentd
	sudo journalctl -u fluentd -f

	### 4--- create a group that can read the logs (optional if you already use cmdlog group)
	sudo groupadd -f cmdlog
	sudo chgrp cmdlog /var/log/commands.log /var/log/outputs.log /var/log/fluentd
	sudo chmod 666 /var/log/commands.log /var/log/outputs.log
	sudo chmod 777 /var/log/fluentd
	sudo usermod -aG cmdlog $USER


	### 5--- add to bashrc Command + Output logging for Fluentd
	# --- Command + output logging for Fluentd ---

	COMMANDS_LOG="/var/log/commands.log"
	OUTPUTS_LOG="/var/log/outputs.log"

	# Only for interactive terminals, once per shell
	if [[ $- == i ]] && [ -t 1 ] && [ -z "$BASH_CMD_OUT_LOGGER_SET" ]; then
	export BASH_CMD_OUT_LOGGER_SET=1

	umask 002 # allow group-writable files (cmdlog group)

	# Per-shell state file where we store the current PWD
	CMD_PWD_STATE_FILE="/tmp/cmdpwd_${UID}_$$"

	# Function that reads command output and writes structured lines to OUTPUTS_LOG
	_log_output_to_file() {
	local state_file="$1"
	local line
	local curr_pwd

	while IFS= read -r line; do
	curr_pwd=$(cat "$state_file" 2>/dev/null \|\| echo "?")
	printf '%s user=%q tty=%q pwd=%q output=%q\n' \
	"$(date --iso-8601=seconds)" "$USER" "$(tty 2>/dev/null)" "$curr_pwd" "$line" \
	>> "$OUTPUTS_LOG"
	done
	}

	# Send stdout+stderr through tee:
	# - to the terminal (normal behaviour)
	# - and through _log_output_to_file (which writes to OUTPUTS_LOG)
	exec > >(stdbuf -oL tee >( _log_output_to_file "$CMD_PWD_STATE_FILE" )) 2>&1

	shopt -s histappend
	export HISTTIMEFORMAT="%F %T "

	# Runs after each command
	_log_last_command() {
	local last_cmd
	last_cmd=$(HISTTIMEFORMAT= history 1 \| sed 's/^ [0-9]\+ //')

	# Log the command itself
	printf '%s user=%q tty=%q pwd=%q cmd=%q\n' \
	"$(date --iso-8601=seconds)" "$USER" "$(tty 2>/dev/null)" "$PWD" "$last_cmd" \
	>> "$COMMANDS_LOG"

	# Update the "current directory" state for the output logger
	printf '%s\n' "$PWD" > "$CMD_PWD_STATE_FILE"

	history -a
	}

	PROMPT_COMMAND='_log_last_command'
	fi
	# --- End command + output logging ---

	### 6--- Log out and back in (or exec bash) so the redirection is active.
	source ~/.bashrc

	### 7--- Quick test:

	echo "hello from out" # should appear on screen and in /var/log/outputs.log
	git --version # outputs captured; command itself in /var/log/commands.log
	tail -n 5 /var/log/commands.log
	tail -n 20 /var/log/outputs.log
No results found