Skip to content

Sync Linux Command Log to GCP

Scenario

Use GCP Ops Agent to synchronize Linux command logs to GCP Log for retention

Process and Description

Configure Linux syslog to record command functionality, retaining all command line records in the shell
Install GCP Ops Agent on Linux, ensuring the service account has Log Writer permissions
Modify Ops Agent settings to forward Linux command logs to GCP

Execution Steps

Configure Linux syslog

Set up default profile

1
whoami="$(whoami)@$(echo $SSH_CONNECTION | awk '{print $1}')"
2
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$whoami [$]: "${PWD/#$HOME/~}" $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'

Configure rsyslog

1
local6.* /var/log/commands.log

Restart the service after configuration

1
sudo systemctl restart rsyslog

Configure logrotate

1
/var/log/commands.log
2
{
3
        rotate 4
4
        weekly
5
        missingok
6
        notifempty
7
        compress
8
        delaycompress
9
        sharedscripts
10
        postrotate
11
                /usr/lib/rsyslog/rsyslog-rotate
12
        endscript
13
}

Test logrotate configuration

1
sudo logrotate -d /etc/logrotate.conf

Install GCP Ops Agent

Ensure the GCE service account has Logs Writer permissions
Install Ops Agent

1
curl -sSO https://dl.google.com/cloudagents/add-google-cloud-ops-agent-repo.sh
2
sudo bash add-google-cloud-ops-agent-repo.sh --also-install

Configure Ops Agent after installation You can add other receivers to GCP Logging based on other requirements

1
logging:
2
  receivers:
3
    syslog:
4
      type: files
5
      include_paths:
6
      - /var/log/messages
7
      - /var/log/syslog
8
    user_command:
9
      type: files
10
      include_paths:
11
      - /var/log/commands.log
12
  service:
13
    pipelines:
14
      default_pipeline:
15
        receivers: [syslog, user_command]

Restart ops agent service

1
sudo service google-cloud-ops-agent restart

REF