Every Linux system provides an in-built history command that keeps a track of all past commands executed on the system. It maintains a separate file called ~/.bash_history which allows system administrators to view past commands executed by all users, and allows individual users to view their own commands.
Here is a sample output of history command. It basically shows serial number of command, along with the actual command executed. It does not contain any information about timestamp and user who executed these commands. Sometimes you may need to view Linux history with timestamp and user in Linux. In this article, we will learn how to view Linux history with timestamp and user.
Linux History with Timestamp and User
If you want to view history with timestamp and user you need to specify its format while the history is being written. You can only retrieve information that you have already written to the history file. If it is not recorded during command execution, you won’t be able to retrieve it later.
To set or change the default format of history file’s entries, use the HISTIMEFORMAT. To set HISTTIMEFORMAT temporarily, use the export command as shown below.
$ export HISTTIMEFORMAT='%F %T'
In the above command,
%F– expands to full date same, as %Y-%m-%d (year-month-date).%T– expands to time; same as %H:%M:%S (hour:minute:seconds).
If you want to also view username in history entries, you need to use pstree command to extract the username.
$ original_user=${SUDO_USER:-$(pstree -Alsu "$$" |
sed -n "s/.*(\([^)]*\)).*($USER)[^(]*$/\1/p")}
$ export HISTTIMEFORMAT="<%F %T> (${original_user:-$USER}) [$$] "
Let us look at the above command in detail.
When we start a root shell as sudo -i or sudo -s or sudo su or sudo bash, the original user is available as $SUDO_USER.
But when started as sudo su -, the environment is cleared by su, so you’ll have to find another way to find the original user.
The format of pstree -Alsu command looks like the following.
init---xterm(user)---zsh---sudo(root)---su---bash---pstree
We use sed command to extract the user part from it.
Now if you run history command, you will see that the format of entries has changed.
$ history
But please note, this format of history stays only as long as your current session. It will be reset to the default format once you start a new session or reboot your system.
If you want to permanently change the history format, open ~/.bashrc file in text editor.
$ vi ~/.bashrc
Add the following line to set the history entry’s format.
original_user=${SUDO_USER:-$(pstree -Alsu "$$" |
sed -n "s/.*(\([^)]*\)).*($USER)[^(]*$/\1/p")}
export HISTTIMEFORMAT="<%F %T> (${original_user:-$USER}) [$$] "
If you only want to view time & date, and not username, of each command, add the following lines.
export HISTTIMEFORMAT='%F %T'
Save and close the file. Now the change will be permanent.
In this article, we have learnt how to view datetime and username in history command. You can customize it as per your requirement.
Also read:
How to Disable Swap in Linux
How to Call C Function in Python
How to Change Default MySQL Data Directory
How to Run MySQL Query from Command Line
How to Restore MongoDB Dump File