How to Enhance Linux History Logs with Timestamps and User Info for Better Auditing

Linux system administrators often rely on the history command to view previously executed commands, but the default output lacks timestamps, user identification, and source IP information, which are essential for thorough security auditing.

Step 1: Edit the global profile

Open the /etc/profile file with a text editor and add the following line to customize the history format:

export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S  `who am i | awk '{print $1,$5}'` "

This setting appends the date, time, current username, and login IP to each recorded command.

Step 2: Apply the changes

Run the command below to reload the profile without restarting the session:

source /etc/profile

Step 3: Verify the enhanced logging

Execute history again. The output now includes a sequence number, timestamp, user, login IP, and the command, for example:

From the screenshot you can see each entry contains the desired detailed information.

Limitations and considerations

While this modification improves internal auditability, it does not protect against malicious actors who can delete or tamper with the ~/.bash_history file. Therefore, it is mainly useful for tracking actions of less experienced users and for post‑incident analysis, not as a comprehensive defense against attackers.

The author invites readers to share additional security measures in the comments for future follow‑up articles.