{
	"id": "ef5d2c0e-a5f0-42ce-b54c-d9711ba2bb0f",
	"created_at": "2026-04-06T01:29:16.864659Z",
	"updated_at": "2026-04-10T13:13:08.550369Z",
	"deleted_at": null,
	"sha1_hash": "7fe4f5c7c0775e717a05292d49e85e8db80a3962",
	"title": "How to enable command line audit logging in linux | Confluence | Atlassian Support",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57338,
	"plain_text": "How to enable command line audit logging in linux | Confluence |\r\nAtlassian Support\r\nBy Atlassian\r\nPublished: 2025-04-08 · Archived: 2026-04-06 01:04:16 UTC\r\nPlatform Notice: Data Center Only - This article only applies to Atlassian apps on the Data Center platform.\r\nNote that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for\r\nServer* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian\r\nServer end of support announcement to review your migration options.\r\n*Except Fisheye and Crucible\r\nSummary\r\nThe content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot\r\nguarantee providing any support for it. Please be aware that this material is provided for your information only\r\nand using it is done so at your own risk.\r\nThis KB article contains information that is outside of the Atlassian Support Offerings and is provided as a\r\nsuggestion to achieve the mentioned goal.\r\nThis is not intended as a complete solution nor as a recommendation to use on production instances.\r\nAs this involves security concerns, the administrator should work in conjunction with their security team to\r\nunderstand the best solution available to their company.\r\nTo record all commands entered into the shell in a linux environment to a log file. This can be useful for auditing\r\nuser actions or for security audits.\r\nThis is not specific to Confluence or any product, but it will audit command line actions including those things\r\nrelated to Confluence. Service restarts, all inputs from bash, and user actions should all be logged using this\r\nmethod.\r\nAs an alternative you may consider Snoopy:\r\nSnoopy is a small library that logs all program executions on your Linux/BSD system.\r\nSolution\r\n1. Login to the linux box and assume root\r\nhttps://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html\r\nPage 1 of 3\n\nsudo su -\r\n2. Edit /etc/profile and add the following lines to the bottom of the file:\r\n# command line audit logging function log2syslog { declare COMMAND COMMAND=$(fc -ln -0) logger\r\n-p local1.notice -t bash -i -- \"${USER}:${COMMAND}\" } trap log2syslog DEBUG\r\n3. Save and exit /etc/profile\r\n4. Edit /etc/rsyslog.conf and add the following lines to the bottom of the file:\r\n# command line audit logging local1.* -/var/log/cmdline\r\n5. Save and exit /etc/rsyslog.conf\r\n6. Either restart the rsyslog service, or restart the whole machine to release all user sessions - forcing a reload\r\nof the bash profile and enacting the changes\r\n/etc/init.d/rsyslog restart\r\n7. The audit logging will be visible under /var/log/syslog and /var/log/cmdline and will look like this:\r\nAug 22 15:04:39 ip-10-10-34-56 bash[15856]: jsmith: Aug 22 15:04:40 ip-10-10-34-56\r\nbash[15859]: jsmith:#011 sudo su - Aug 22 15:04:43 ip-10-10-34-56 bash[15893]: root: Aug 22\r\n15:04:49 ip-10-10-34-56 bash[15903]: root:#011 ls -lart /var/log Aug 22 15:05:01 ip-10-10-34-56\r\nCRON[15927]: (root) CMD (command -v debian-sa1 \u003e /dev/null \u0026\u0026 debian-sa1 1 1) Aug 22 15:05:06\r\nip-10-10-34-56 bash[15937]: root:#011 ls -lart /var/log | grep cmd Aug 22 15:15:01 ip-10-10-34-\r\n56 CRON[17254]: (root) CMD (command -v debian-sa1 \u003e /dev/null \u0026\u0026 debian-sa1 1 1) Aug 22\r\n15:17:01 ip-10-10-34-56 CRON[17513]: (root) CMD ( cd / \u0026\u0026 run-parts --report /etc/cron.hourly)\r\nAug 22 15:20:02 ip-10-10-34-56 bash[17921]: root:#011 cd /var/log Aug 22 15:20:03 ip-10-10-34-\r\n56 bash[17924]: root:#011 ls Aug 22 15:20:16 ip-10-10-34-56 bash[17969]: root:#011 service\r\nconfluence restart Aug 22 15:20:16 ip-10-10-34-56 systemd[1]: Stopping SYSV: Confluence... Aug\r\n22 15:20:16 ip-10-10-34-56 confluence[17975]: Stopping confluence Aug 22 15:20:16 ip-10-10-34-\r\n56 systemd[1]: Started Session c8 of user confluence. Aug 22 15:20:27 ip-10-10-34-56\r\nconfluence[17975]: confluence stopped successfully Aug 22 15:20:27 ip-10-10-34-56 systemd[1]:\r\nStopped SYSV: Confluence. Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Starting SYSV:\r\nConfluence... Aug 22 15:20:27 ip-10-10-34-56 confluence[18103]: Starting confluence Aug 22\r\n15:20:27 ip-10-10-34-56 systemd[1]: Stopping User Manager for UID 1300... Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Stopped target Default. Aug 22 15:20:27 ip-10-10-34-56\r\nsystemd[20231]: Stopped target Basic System. Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]:\r\nStopped target Paths. Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Stopped target Timers. Aug\r\n22 15:20:27 ip-10-10-34-56 systemd[20231]: Reached target Shutdown. Aug 22 15:20:27 ip-10-10-\r\n34-56 systemd[20231]: Starting Exit the Session... Aug 22 15:20:27 ip-10-10-34-56\r\nsystemd[20231]: Stopped target Sockets. Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Received\r\nSIGRTMIN+24 from PID 18107 (kill). Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Stopped User\r\nManager for UID 1300. Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Removed slice User Slice of\r\nhttps://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html\r\nPage 2 of 3\n\nconfluence. Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Created slice User Slice of confluence.\r\nAug 22 15:20:27 ip-10-10-34-56 systemd[1]: Starting User Manager for UID 1300... Aug 22\r\n15:20:27 ip-10-10-34-56 systemd[1]: Started Session c9 of user confluence. Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Paths. Aug 22 15:20:27 ip-10-10-34-56\r\nsystemd[18113]: Reached target Timers. Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached\r\ntarget Sockets. Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Basic System. Aug\r\n22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Default. Aug 22 15:20:27 ip-10-10-34-\r\n56 systemd[18113]: Startup finished in 9ms. Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Started\r\nUser Manager for UID 1300. Aug 22 15:20:28 ip-10-10-34-56 systemd[1]: Started SYSV: Confluence.\r\nAug 22 15:20:41 ip-10-10-34-56 bash[18207]: root:#011 ls Aug 22 15:20:54 ip-10-10-34-56\r\nbash[18271]: root:#011 less syslog\r\n8. You may consider saving the log on an NFS mount and/or pushing the syslog logs to another machine.\r\nUpdated on September 25, 2025\r\nWas this helpful?\r\nIt wasn't accurateIt wasn't clearIt wasn't relevant\r\nStill need help?\r\nThe Atlassian Community is here for you.\r\nSource: https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html\r\nhttps://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html"
	],
	"report_names": [
		"how-to-enable-command-line-audit-logging-in-linux-956166545.html"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438956,
	"ts_updated_at": 1775826788,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7fe4f5c7c0775e717a05292d49e85e8db80a3962.pdf",
		"text": "https://archive.orkl.eu/7fe4f5c7c0775e717a05292d49e85e8db80a3962.txt",
		"img": "https://archive.orkl.eu/7fe4f5c7c0775e717a05292d49e85e8db80a3962.jpg"
	}
}