key logger not record entered commands

Document ID : KB000009048
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

The commands are not shown in key logger command log via 'seaudit -kbl -sid xxx -cmd' if the commands are entered before returning to prompt from previous command.

example:
1. login to server as the user who has audit(interactive).
2. enter some commands before returning to prompt from previous command.
-----
$ sleep 10
id
whoami
$ id
uid=101(user01) gid=1(other)
$ whoami
user01
-----
In above case, 'id' and 'whoami' are the entered commands before returning to prompt from previous command ('sleep 10').

3. check kbl command log
-----
# seaudit -kbl -sid xxxx -cmd
04 Sep 2017 03:16:08 P TRACE user01 59acf945:00000143 user01 user01 KBL input 4988 INFO : SessionCmd: sleep 10
-----

The commands entered before returning to prompt from previous command ('id' and 'whoami') are not shown.

Cause:

This is product limitation in current release.

Resolution:

There is no workaround/solution for this at this time.
You can see the commands via other seaudit options, -exe, -pr and -rp instead of -cmd.