How To Timestamp the KORN Shell History File

If your like me and you've been looking for the BASH 'HISTTIMEFORMAT' equivalent for HPUX KSH, well, here it is and I think this is what your E&Y auditors will be happy to see.
####################################
My .profile File
> cat .profile
set -u # error if undefined variable.
trap "echo 'logout root'" 0 # what to do on exit.
trap 'date "+#%c" | read -s' debug # timestamp .sh_history
export HISTFILE=/tmp/$LOGNAME`date +%m%d%y%H%M%S` # Put it in /tmp

My .sh_history file
AKA /tmp/$LOGNAME030911134105

> cat /tmp/f808636030911134105

trap 'date "+# %c" | read -s' debug
# Wed Mar 9 13:42:24 2011
'date "+# %c"'
# Wed Mar 9 13:42:35 2011
history
# Wed Mar 9 13:42:45 2011
trap 'date "+# %c" | read -s' debug
# Wed Mar 9 13:43:02 2011
hisot
# Wed Mar 9 13:43:38 2011
thi
# Wed Mar 9 13:46:14 2011
history
# Wed Mar 9 13:46:16 2011
dog
# Wed Mar 9 13:46:55 2011
cat
ls -la
# Wed Mar 9 13:47:03 2011
cat /etc/passwd
# Wed Mar 9 13:47:09 2011
history
# Wed Mar 9 13:47:12 2011
cat /etc/group
# Wed Mar 9 13:48:34 2011
history
# Wed Mar 9 13:48:36 2011
cat /etc/fstab
# Wed Mar 9 13:48:43 2011
history
# Wed Mar 9 13:48:45 2011
vgdisplay
# Wed Mar 9 13:48:53 2011
history
# Wed Mar 9 13:48:57 2011
vi .profile
# Wed Mar 9 13:50:25 2011
id
# Wed Mar 9 13:50:28 2011
ps
# Wed Mar 9 13:50:29 2011
exit
# Wed Mar 9 13:50:30 2011


Here's a slight mod that makes the history a bit easier to read (YYYYMMDD.HHMMSS):

# trap 'date "+ # %a %Y%m%d.%H%M%S" | read -s' debug
5089 # Thu 20110310.202507
5090 ls
5091 # Thu 20110310.202509
5092 date
5093 # Thu 20110310.202510
5094 bdfmegs
5095 # Thu 20110310.202513
5096 boiotinfo
5097 # Thu 20110310.202514

Now the commands are visible on the left with the timestamps pushed to the right. This is the only line you'll need for .profile to add timestamps to each line in the shell history file. Thanks for posting this technique Michael.
Yes. I like this better. 

-/root> grep trap .profile

trap 'date "+ #%c" | read -s' debug # timestamp .sh_history

Thanks Bill Hassell.

-/root> history
389 # Fri 20110311.081338
390 # Fri 20110311.081338
391 history
392 # Fri 20110311.081341
393 history
394 # Fri 20110311.081346
395 # Fri 20110311.081354
396 history
397 vi .profile
398 . ./.profile
399 #Fri Mar 11 08:14:35 2011
400 #Fri Mar 11 08:14:35 2011
401 #Fri Mar 11 08:14:35 2011
402 #Fri Mar 11 08:14:35 2011
403 #Fri Mar 11 08:14:35 2011
404 history
root@fxgpq506-/root>



I tested it in my AIX and HP-UX servers.

HP-UX .. no luck. It's not recording any time stamps.

But AIX, it records, but very difficult to identify what is the exact date and time (see below). :)

ls -la #Ã #1300259962#Ã #
tail .sh_history #Ã #1300259975#Ã #



if you are not consider security issue ,here is my workaround solution, at the end of the .profile ;

# cat /.profile
...
## timestamp to history file ..
set -u # error if undefined variable.
trap 'date "+%c" | read -s' debug # timestamp .sh_history


# cat /tmp/hist_reader
#!/bin/sh
# reader for ksh history from current with timestamp

ADDRESS="$HOME/.sh_history"
cat $ADDRESS >> /tmp/temporal
sed 'N;s/\n/\ : /' < /tmp/temporal

Result:
# /tmp/hist_reader
Tue May 3 15:32:43 2011 : bdf
Tue May 3 15:32:45 2011 : Bpsm
Tue May 3 15:32:48 2011 : pwd
Tue May 3 15:32:52 2011 : history
Tue May 3 15:32:55 2011 : ./
Tue May 3 15:33:05 2011 : ls
Tue May 3 15:33:25 2011 : cat /.profile
Tue May 3 15:36:37 2011 : pwd
Tue May 3 15:37:47 2011 : ls
Tue May 3 15:38:31 2011 : uptime
Tue May 3 15:38:38 2011 : swapinfo


Found solution for AIX as well :)

All you have to do is, put the following line in .profile ( for global it can be in /etc/profile ).

EXTENDED_HISTORY=ON

To read the exact date & time of the command executed of a userâ s history file, use the following option.

env HISTFILE= /usr/bin/fc -t

Not sure if people are still looking at this thread ... but I'll give it a shot!

I tried to implement these recommendations on our system (running RHEL5.7), but I see strange results.  Any command that contains a '|' in it seems to be treated as a 'job' ... I can run multiple commands like this, then when I hit just a <CR> at the prompt, I see a bunch of "completed jobs" messages like the following:

mylogin@mymachine: ps -fumylogin | grep imsmeta
mylogin       25371     1  0 Feb14 pts/0    00:00:00 imsmeta_server -i 960 -A -- -d 1
mylogin       25375     1  0 Feb14 pts/0    00:00:00 imsmeta_server -i 961 -A -- -d 1
mylogin       25479 25035  0 21:23 pts/2    00:00:00 grep imsmeta
mylogin@mymachine: ps -fumylogin | grep wmmon

mylogin       25365     1  0 Feb14 pts/0    00:00:51 wmmon_server -i 480 -A -e /mydir/bin/stderr.wmmon_server --
mylogin       25411 25107  0 Feb14 ?        00:00:00 wmmon_client -i 1
mylogin       25487 25035  0 21:23 pts/2    00:00:00 grep wmmon
mylogin@mymachine: ps -fumylogin | grep ksh
mylogin       24217 24214  0 21:06 pts/1    00:00:00 -ksh
mylogin       25035 25033  0 21:17 pts/2    00:00:00 -ksh
mylogin       28294 28290  0 Feb14 pts/0    00:00:00 -ksh
mylogin@mymachine: date | awk ' { print $2 } '
Feb
mylogin@mymachine: ps -fumylogin | grep ksh
mylogin       24217 24214  0 21:06 pts/1    00:00:00 -ksh
mylogin       25035 25033  0 21:17 pts/2    00:00:00 -ksh
mylogin       25517 25035  0 21:24 pts/2    00:00:00 grep ksh
mylogin       28294 28290  0 Feb14 pts/0    00:00:00 -ksh
mylogin@mymachine: <Enter>
[6] +  Done                    ps -fumylogin | grep ksh
[5] -  Done                    date | awk ' { print $2 } '
[4]    Done                    ps -fufuommylogin | grep ksh
[3]    Done                    ps -fumylogin | grep wmmon
[2]    Done                    ps -fumylogin | grep imsmeta
mylogin@mymachine:

Any ideas why this would happen?  The entry in my .profile is as follows:

tty >/dev/null 2>&1 && trap 'date "+# %D %T" | read -s' debug

We added the 'tty >/dev/null 2>&1 &&' to the trap line because we were seeing many date-only lines in the history file, and they appeared to be tied to cron jobs that were running.

SHARE

sangeethakumar

• 
• 
• 
• 
•