Aug 7 08:47:26 bastion LinuxCommandsWazuh: User ubuntu [93463]: 252 sudo ./log.sh Aug 7 08:47:36 bastion LinuxCommandsWazuh: User ubuntu [93463]: 253 cd Aug 7 08:47:36 bastion LinuxCommandsWazuh: User ubuntu [93463]: 254 ls Aug 7 08:53:25 bastion LinuxCommandsWazuh: User ubuntu [93463]: 254 ls Aug 7 08:53:25 bastion LinuxCommandsWazuh: message repeated 3 times: [ User ubuntu [93463]: 254 ls] Aug 7 08:53:28 bastion LinuxCommandsWazuh: User ubuntu [93463]: 255 cd bin/ Aug 7 08:53:41 bastion LinuxCommandsWazuh: User ubuntu [93463]: 256 cd .. Aug 7 08:53:42 bastion LinuxCommandsWazuh: User ubuntu [93463]: 257 ls Aug 7 08:53:42 bastion LinuxCommandsWazuh: User ubuntu [93463]: 258 cd .. Aug 7 08:53:43 bastion LinuxCommandsWazuh: User ubuntu [93463]: 259 ls Aug 7 08:54:26 bastion LinuxCommandsWazuh: User devesh [93827]: 12 exit Aug 7 08:54:26 bastion LinuxCommandsWazuh: User devesh [93827]: 13 ls Aug 7 08:54:27 bastion LinuxCommandsWazuh: User devesh [93827]: 14 cd Aug 7 08:54:27 bastion LinuxCommandsWazuh: User devesh [93827]: 15 ls Aug 7 08:54:30 bastion LinuxCommandsWazuh: User devesh [93827]: 16 cd .ssh/ Aug 7 08:54:30 bastion LinuxCommandsWazuh: User devesh [93827]: 17 ls Aug 7 08:54:34 bastion LinuxCommandsWazuh: User devesh [93827]: 18 cat id_rsa.pub Aug 7 08:55:27 bastion LinuxCommandsWazuh: User devesh [93827]: 19 ssh devesh@34.131.119.204 Aug 7 08:56:19 bastion LinuxCommandsWazuh: User devesh [93827]: 20 ssh devesh@34.131.112.162 Aug 7 08:56:20 bastion LinuxCommandsWazuh: User devesh [93827]: 21 ls Aug 7 08:56:39 bastion LinuxCommandsWazuh: User ubuntu [93463]: 260 sudo su devesh Aug 7 08:56:40 bastion LinuxCommandsWazuh: User ubuntu [93463]: 261 ls Aug 7 08:56:42 bastion LinuxCommandsWazuh: User ubuntu [93463]: 262 cd Aug 7 08:56:48 bastion LinuxCommandsWazuh: User shamailtayyab [93935]: 21 exit Aug 7 08:56:48 bastion LinuxCommandsWazuh: User shamailtayyab [93935]: 22 ls Aug 7 08:56:49 bastion LinuxCommandsWazuh: User shamailtayyab [93935]: 23 cd Aug 7 08:56:49 bastion LinuxCommandsWazuh: User shamailtayyab [93935]: 24 ls Aug 7 08:56:50 bastion LinuxCommandsWazuh: User shamailtayyab [93935]: 25 cd ..s Aug 7 08:56:52 bastion LinuxCommandsWazuh: User shamailtayyab [93935]: 26 cd .ssh/ Aug 7 08:56:53 bastion LinuxCommandsWazuh: User shamailtayyab [93935]: 27 ls Aug 7 08:56:55 bastion LinuxCommandsWazuh: User shamailtayyab [93935]: 28 cat id_rsa Aug 7 08:57:01 bastion LinuxCommandsWazuh: User shamailtayyab [93935]: 29 cat id_rsa.pub Aug 7 09:15:21 bastion LinuxCommandsWazuh: User ubuntu [94201]: 263 sudo su shamailtayyab Aug 7 09:15:23 bastion LinuxCommandsWazuh: User ubuntu [94201]: 264 cd .. Aug 7 09:15:24 bastion LinuxCommandsWazuh: User ubuntu [94201]: 265 ls Aug 7 09:15:28 bastion LinuxCommandsWazuh: User ubuntu [94201]: 266 sudo su rihan/ Aug 7 09:15:29 bastion LinuxCommandsWazuh: User ubuntu [94201]: 267 ls Aug 7 09:15:32 bastion LinuxCommandsWazuh: User rihan [94243]: 19 sudo su devyanshu Aug 7 09:15:32 bastion LinuxCommandsWazuh: User rihan [94243]: 20 cd Aug 7 09:15:33 bastion LinuxCommandsWazuh: User rihan [94243]: 21 ls Aug 7 09:15:34 bastion LinuxCommandsWazuh: User rihan [94243]: 22 cd .ssh/ Aug 7 09:15:35 bastion LinuxCommandsWazuh: User rihan [94243]: 23 ls Aug 7 09:15:38 bastion LinuxCommandsWazuh: User rihan [94243]: 24 cat id_rsa.pub Aug 7 09:15:59 bastion LinuxCommandsWazuh: User rihan [94243]: 24 cat id_rsa.pub Aug 7 09:16:04 bastion LinuxCommandsWazuh: User ubuntu [94201]: 268 sudo su rihan Aug 7 09:16:07 bastion LinuxCommandsWazuh: User venky [94312]: 47 exit Aug 7 09:16:07 bastion LinuxCommandsWazuh: User venky [94312]: 48 ls Aug 7 09:16:08 bastion LinuxCommandsWazuh: User venky [94312]: 49 cd Aug 7 09:16:08 bastion LinuxCommandsWazuh: User venky [94312]: 50 ls Aug 7 09:16:09 bastion LinuxCommandsWazuh: User venky [94312]: 51 cd .ssh/ Aug 7 09:16:10 bastion LinuxCommandsWazuh: User venky [94312]: 52 ls Aug 7 09:16:13 bastion LinuxCommandsWazuh: User venky [94312]: 53 cat id_rsa.pub Aug 7 09:17:05 bastion LinuxCommandsWazuh: User ubuntu [94201]: 269 sudo su venky Aug 7 09:17:09 bastion LinuxCommandsWazuh: User shobhit [94375]: 18 exit Aug 7 09:17:09 bastion LinuxCommandsWazuh: User shobhit [94375]: 19 ls Aug 7 09:17:13 bastion LinuxCommandsWazuh: User shobhit [94375]: 20 cd Aug 7 09:17:14 bastion LinuxCommandsWazuh: User shobhit [94375]: 21 cd .ssh/ Aug 7 09:17:14 bastion LinuxCommandsWazuh: User shobhit [94375]: 22 ls Aug 7 09:17:17 bastion LinuxCommandsWazuh: User shobhit [94375]: 23 cat id_rsa Aug 7 09:17:22 bastion LinuxCommandsWazuh: User shobhit [94375]: 24 cat id_rsa.pub Aug 7 09:17:55 bastion LinuxCommandsWazuh: User ubuntu [94201]: 270 sudo su shobhit Aug 7 09:17:56 bastion LinuxCommandsWazuh: User ubuntu [94201]: 271 ls Aug 7 09:18:00 bastion LinuxCommandsWazuh: User anshika [94441]: 28 exit Aug 7 09:18:01 bastion LinuxCommandsWazuh: User anshika [94441]: 29 ls Aug 7 09:18:05 bastion LinuxCommandsWazuh: User anshika [94441]: 30 cat Aug 7 09:18:05 bastion LinuxCommandsWazuh: User anshika [94441]: 31 ls Aug 7 09:18:06 bastion LinuxCommandsWazuh: User anshika [94441]: 32 cd Aug 7 09:18:07 bastion LinuxCommandsWazuh: User anshika [94441]: 33 ls Aug 7 09:18:09 bastion LinuxCommandsWazuh: User anshika [94441]: 34 cd .ssh/ls Aug 7 09:18:12 bastion LinuxCommandsWazuh: User anshika [94441]: 35 cd .ssh/ Aug 7 09:18:12 bastion LinuxCommandsWazuh: User anshika [94441]: 36 ls Aug 7 09:18:17 bastion LinuxCommandsWazuh: User anshika [94441]: 37 cat id_rsa.pub Aug 7 09:21:58 bastion LinuxCommandsWazuh: User anshika [94441]: 37 cat id_rsa.pub Aug 7 09:21:58 bastion LinuxCommandsWazuh: User anshika [94441]: 38 ls Aug 7 09:22:02 bastion LinuxCommandsWazuh: User ubuntu [94201]: 272 sudo su anshika Aug 7 09:22:03 bastion LinuxCommandsWazuh: User ubuntu [94201]: 273 ls Aug 7 09:22:05 bastion ubuntu: root@ [94573]: exit [0] Aug 7 09:22:07 bastion ubuntu: root@ [94573]: cd [0] Aug 7 09:22:07 bastion ubuntu: root@ [94573]: ls [0] Aug 7 09:22:09 bastion ubuntu: root@ [94573]: cd /home/ [0] Aug 7 09:22:10 bastion ubuntu: root@ [94573]: ls [0] Aug 7 09:22:27 bastion ubuntu: root@ [94573]: cd devesh [0] Aug 7 09:22:28 bastion ubuntu: root@ [94573]: ls [0] Aug 7 09:23:28 bastion ubuntu: root@ [94573]: sudo vi .bashrc . [0] Aug 7 09:23:30 bastion LinuxCommandsWazuh: User ubuntu [94201]: 274 sudo su Aug 7 09:23:35 bastion LinuxCommandsWazuh: User devesh [94633]: 22 exit Aug 7 09:23:37 bastion LinuxCommandsWazuh: User devesh [94633]: 23 source ~/.bashrc Aug 7 09:23:42 bastion LinuxCommandsWazuh: User devesh [94633]: 24 cookie Aug 7 09:23:44 bastion LinuxCommandsWazuh: User devesh [94633]: 25 queues Aug 7 09:23:51 bastion LinuxCommandsWazuh: User ubuntu [94201]: 275 sudo su devesh Aug 7 09:23:52 bastion ubuntu: root@ [94675]: exit [0] Aug 7 09:23:57 bastion ubuntu: root@ [94675]: cd devesh/ [0] Aug 7 09:23:58 bastion ubuntu: root@ [94675]: ls [0] Aug 7 09:24:09 bastion ubuntu: root@ [94675]: sudo vi .bashrc [0] Aug 7 09:24:17 bastion ubuntu: root@ [94675]: cat .bashrc [0] Aug 7 09:24:24 bastion ubuntu: root@ [94675]: cd .. [0] Aug 7 09:24:25 bastion ubuntu: root@ [94675]: ls [0] Aug 7 09:24:30 bastion ubuntu: root@ [94675]: cd rihan [0] Aug 7 09:24:30 bastion ubuntu: root@ [94675]: ls [0] Aug 7 09:24:52 bastion ubuntu: root@ [94675]: sudo vi .bashrc [0] Aug 7 09:24:57 bastion ubuntu: root@ [94675]: cd .. [0] Aug 7 09:24:58 bastion ubuntu: root@ [94675]: ls [0] Aug 7 09:25:02 bastion ubuntu: root@ [94675]: cd shamailtayyab/ [0] Aug 7 09:25:03 bastion ubuntu: root@ [94675]: ls [0] Aug 7 09:25:30 bastion ubuntu: root@ [94675]: sudo vi .bashrc [0] Aug 7 09:25:35 bastion ubuntu: root@ [94675]: cd .. [0] Aug 7 09:25:35 bastion ubuntu: root@ [94675]: ls [0] Aug 7 09:25:37 bastion ubuntu: root@ [94675]: cd venky [0] Aug 7 09:25:38 bastion ubuntu: root@ [94675]: ls [0] Aug 7 09:25:42 bastion ubuntu: root@ [94675]: cd .ssh/ [0] Aug 7 09:25:43 bastion ubuntu: root@ [94675]: ls [0] Aug 7 09:25:47 bastion ubuntu: root@ [94675]: sudo vi authorized_keys [0] Aug 7 09:25:59 bastion ubuntu: root@ [94675]: cd [0] Aug 7 09:25:59 bastion ubuntu: root@ [94675]: ls [0] Aug 7 09:26:02 bastion ubuntu: root@ [94675]: cd /home/venky/ [0] Aug 7 09:26:03 bastion ubuntu: root@ [94675]: ls [0] Aug 7 09:26:23 bastion ubuntu: root@ [94675]: sudo vi .bashrc [0] Aug 7 09:29:08 bastion LinuxCommandsWazuh: User ubuntu [94201]: 276 sudo su Aug 7 09:29:13 bastion LinuxCommandsWazuh: User venky [94846]: 54 exit Aug 7 09:29:15 bastion LinuxCommandsWazuh: User venky [94846]: 55 source ~/.bashrc Aug 7 09:29:17 bastion LinuxCommandsWazuh: User ubuntu [94201]: 277 sudo su venky Aug 7 09:29:21 bastion LinuxCommandsWazuh: User ubuntu [94201]: 278 sudo su rihan/ Aug 7 09:29:23 bastion LinuxCommandsWazuh: User rihan [94888]: 25 exit Aug 7 09:29:24 bastion LinuxCommandsWazuh: User rihan [94888]: 26 source ~/.bashrc Aug 7 09:29:26 bastion LinuxCommandsWazuh: User ubuntu [94201]: 279 sudo su rihan Aug 7 09:29:29 bastion LinuxCommandsWazuh: User shamailtayyab [94919]: 29 cat id_rsa.pub Aug 7 09:29:32 bastion LinuxCommandsWazuh: User shamailtayyab [94919]: 30 source ~/.bashrc Aug 7 09:29:34 bastion LinuxCommandsWazuh: User ubuntu [94201]: 280 sudo su shamailtayyab Aug 7 09:29:34 bastion LinuxCommandsWazuh: User ubuntu [94201]: 281 ls Aug 7 09:42:21 bastion LinuxCommandsWazuh: User ubuntu [94201]: 281 ls Aug 7 09:42:27 bastion LinuxCommandsWazuh: User ubuntu [94201]: 281 ls Aug 7 09:42:28 bastion LinuxCommandsWazuh: User ubuntu [94201]: 282 lcd Aug 7 09:42:28 bastion LinuxCommandsWazuh: User ubuntu [94201]: 283 ls Aug 7 09:42:33 bastion LinuxCommandsWazuh: User ubuntu [94201]: 284 cd /var/recordings/ Aug 7 09:42:34 bastion LinuxCommandsWazuh: User ubuntu [94201]: 285 ls Aug 7 09:42:35 bastion LinuxCommandsWazuh: User ubuntu [94201]: 286 cd .. Aug 7 09:42:35 bastion LinuxCommandsWazuh: User ubuntu [94201]: 287 ls Aug 7 09:42:39 bastion LinuxCommandsWazuh: User ubuntu [94201]: 288 cd records Aug 7 09:42:39 bastion LinuxCommandsWazuh: User ubuntu [94201]: 289 ls Aug 7 09:42:44 bastion LinuxCommandsWazuh: User ubuntu [94201]: 290 cd backups/ Aug 7 09:42:45 bastion LinuxCommandsWazuh: User ubuntu [94201]: 291 ls Aug 7 09:42:48 bastion LinuxCommandsWazuh: User ubuntu [94201]: 292 cd .. Aug 7 09:42:49 bastion LinuxCommandsWazuh: User ubuntu [94201]: 293 ls Aug 7 09:42:58 bastion LinuxCommandsWazuh: User ubuntu [94201]: 294 cd lo Aug 7 09:42:59 bastion LinuxCommandsWazuh: User ubuntu [94201]: 295 cd log Aug 7 09:43:00 bastion LinuxCommandsWazuh: User ubuntu [94201]: 296 ks Aug 7 09:43:02 bastion LinuxCommandsWazuh: User ubuntu [94201]: 297 ls Aug 7 09:43:13 bastion LinuxCommandsWazuh: User ubuntu [94201]: 297 ls Aug 7 09:43:14 bastion LinuxCommandsWazuh: User ubuntu [94201]: 298 cdl Aug 7 09:43:14 bastion LinuxCommandsWazuh: User ubuntu [94201]: 299 ls Aug 7 09:43:15 bastion LinuxCommandsWazuh: User ubuntu [94201]: 300 cd Aug 7 09:43:15 bastion LinuxCommandsWazuh: User ubuntu [94201]: 301 ls Aug 7 09:43:17 bastion LinuxCommandsWazuh: User ubuntu [94201]: 302 cd .. Aug 7 09:43:17 bastion LinuxCommandsWazuh: User ubuntu [94201]: 303 ls Aug 7 09:43:19 bastion LinuxCommandsWazuh: User ubuntu [94201]: 304 cat audit.sh Aug 7 09:43:25 bastion LinuxCommandsWazuh: User ubuntu [94201]: 305 cd /etc/records/ Aug 7 09:43:25 bastion LinuxCommandsWazuh: User ubuntu [94201]: 306 ls Aug 7 09:48:54 bastion LinuxCommandsWazuh: User ubuntu [94201]: 306 ls Aug 7 09:49:25 bastion LinuxCommandsWazuh: User ubuntu [94201]: 306 ls Aug 7 09:50:44 bastion LinuxCommandsWazuh: User ubuntu [94201]: 307 pwd Aug 7 09:50:49 bastion LinuxCommandsWazuh: User ubuntu [94201]: 308 ls Aug 7 09:50:50 bastion LinuxCommandsWazuh: User ubuntu [94201]: 308 ls Aug 7 09:50:52 bastion LinuxCommandsWazuh: User ubuntu [94201]: 309 cd Aug 7 09:50:53 bastion LinuxCommandsWazuh: User ubuntu [94201]: 310 ls Aug 7 09:51:39 bastion LinuxCommandsWazuh: User ubuntu [94201]: 311 cd bin Aug 7 09:51:40 bastion LinuxCommandsWazuh: User ubuntu [94201]: 312 ks Aug 7 09:51:40 bastion LinuxCommandsWazuh: User ubuntu [94201]: 313 ls Aug 7 09:52:08 bastion LinuxCommandsWazuh: User ubuntu [94201]: 314 sudo vi recordslog.sh Aug 7 09:52:10 bastion LinuxCommandsWazuh: User ubuntu [94201]: 315 cat log.sh Aug 7 09:59:03 bastion LinuxCommandsWazuh: User rihan [95501]: 27 exit Aug 7 10:00:24 bastion LinuxCommandsWazuh: User rihan [95501]: 28 psql Aug 7 10:09:25 bastion LinuxCommandsWazuh: User ubuntu [94201]: 315 cat log.sh Aug 7 10:09:32 bastion LinuxCommandsWazuh: User ubuntu [94201]: 316 sudo vi recordslog.sh Aug 7 10:09:39 bastion LinuxCommandsWazuh: User ubuntu [94201]: 317 sudo chmod +x recordslog.sh Aug 7 10:09:45 bastion LinuxCommandsWazuh: User ubuntu [94201]: 318 ./recordslog.sh Aug 7 10:09:46 bastion LinuxCommandsWazuh: User ubuntu [94201]: 318 ./recordslog.sh Aug 7 10:10:14 bastion LinuxCommandsWazuh: User ubuntu [94201]: 319 sudo vi recordslog.sh Aug 7 10:10:19 bastion LinuxCommandsWazuh: User ubuntu [94201]: 320 ./recordslog.sh Aug 7 10:10:25 bastion LinuxCommandsWazuh: User ubuntu [94201]: 321 sudo ./recordslog.sh Aug 7 10:11:24 bastion LinuxCommandsWazuh: User ubuntu [94201]: 322 sudo vi recordslog.sh Aug 7 10:11:28 bastion LinuxCommandsWazuh: User ubuntu [94201]: 323 sudo ./recordslog.sh Aug 7 10:12:05 bastion LinuxCommandsWazuh: User ubuntu [94201]: 324 sudo vi recordslog.sh Aug 7 10:12:10 bastion LinuxCommandsWazuh: User ubuntu [94201]: 325 sudo ./recordslog.sh Aug 7 10:12:52 bastion LinuxCommandsWazuh: User ubuntu [94201]: 325 sudo ./recordslog.sh Aug 7 10:13:24 bastion LinuxCommandsWazuh: User ubuntu [94201]: 326 sudo vi recordslog.sh Aug 7 10:13:28 bastion LinuxCommandsWazuh: User ubuntu [94201]: 327 sudo ./recordslog.sh Aug 7 10:13:42 bastion LinuxCommandsWazuh: User ubuntu [94201]: 328 catt recordslog.sh Aug 7 10:13:45 bastion LinuxCommandsWazuh: User ubuntu [94201]: 329 cat recordslog.sh Aug 7 10:14:23 bastion LinuxCommandsWazuh: User ubuntu [94201]: 330 sudo vi recordslog.sh Aug 7 10:14:30 bastion LinuxCommandsWazuh: User ubuntu [94201]: 331 sudo ./recordslog.sh Aug 7 10:14:44 bastion LinuxCommandsWazuh: User ubuntu [97324]: 332 exit Aug 7 10:14:49 bastion LinuxCommandsWazuh: User ubuntu [97324]: 333 cd /etc/records/ Aug 7 10:14:49 bastion LinuxCommandsWazuh: User ubuntu [97324]: 334 ls Aug 7 10:14:51 bastion LinuxCommandsWazuh: User ubuntu [97324]: 335 cd .. Aug 7 10:14:51 bastion LinuxCommandsWazuh: User ubuntu [97324]: 336 ls Aug 7 10:14:52 bastion LinuxCommandsWazuh: User ubuntu [97324]: 337 cd .. Aug 7 10:14:53 bastion LinuxCommandsWazuh: User ubuntu [97324]: 338 ls Aug 7 10:14:54 bastion LinuxCommandsWazuh: User ubuntu [97324]: 339 cd Aug 7 10:14:54 bastion LinuxCommandsWazuh: User ubuntu [97324]: 340 ls Aug 7 10:18:07 bastion LinuxCommandsWazuh: User ubuntu [97324]: 341 cd Aug 7 10:18:07 bastion LinuxCommandsWazuh: User ubuntu [97324]: 341 cd Aug 7 10:18:07 bastion LinuxCommandsWazuh: User ubuntu [97324]: 342 ls Aug 7 10:18:09 bastion LinuxCommandsWazuh: User ubuntu [97324]: 343 cd bin Aug 7 10:18:10 bastion LinuxCommandsWazuh: User ubuntu [97324]: 344 ls Aug 7 10:18:21 bastion LinuxCommandsWazuh: User ubuntu [97324]: 345 sudo vi recordslog.sh Aug 7 10:18:49 bastion LinuxCommandsWazuh: User ubuntu [97324]: 346 cd /etc/records/ Aug 7 10:18:50 bastion LinuxCommandsWazuh: User ubuntu [97324]: 347 ls Aug 7 10:20:53 bastion LinuxCommandsWazuh: User ubuntu [97324]: 347 ls Aug 7 10:20:59 bastion LinuxCommandsWazuh: User ubuntu [97324]: 348 ehoami Aug 7 10:21:01 bastion LinuxCommandsWazuh: User ubuntu [97324]: 349 whoami Aug 7 10:21:16 bastion LinuxCommandsWazuh: User ubuntu [97324]: 349 whoami Aug 7 10:21:34 bastion LinuxCommandsWazuh: User ubuntu [97324]: 349 whoami Aug 7 10:23:31 bastion LinuxCommandsWazuh: User ubuntu [97324]: 350 ls -1t ${USER}_* | head -n 2 Aug 7 10:23:34 bastion LinuxCommandsWazuh: User ubuntu [97324]: 351 ls Aug 7 10:23:39 bastion LinuxCommandsWazuh: User ubuntu [97817]: 352 exit Aug 7 10:23:41 bastion LinuxCommandsWazuh: User ubuntu [97817]: 353 mcosr Aug 7 10:23:41 bastion LinuxCommandsWazuh: User ubuntu [97817]: 353 mcosr Aug 7 10:23:43 bastion LinuxCommandsWazuh: User ubuntu [97918]: 354 exit Aug 7 10:23:47 bastion LinuxCommandsWazuh: User ubuntu [97918]: 355 cd /etc/records/ Aug 7 10:23:48 bastion LinuxCommandsWazuh: User ubuntu [97918]: 356 ls Aug 7 10:23:56 bastion LinuxCommandsWazuh: User ubuntu [97918]: 357 ls -atr Aug 7 10:24:00 bastion LinuxCommandsWazuh: User ubuntu [97918]: 358 ls -tr Aug 7 10:24:04 bastion LinuxCommandsWazuh: User ubuntu [97918]: 359 ls -ltr Aug 7 10:24:09 bastion LinuxCommandsWazuh: User ubuntu [97918]: 360 ls -1t ${USER}_* | head -n 2 Aug 7 10:26:08 bastion LinuxCommandsWazuh: User ubuntu [97918]: 361 cd Aug 7 10:26:10 bastion LinuxCommandsWazuh: User ubuntu [97918]: 362 cd bin Aug 7 10:26:10 bastion LinuxCommandsWazuh: User ubuntu [97918]: 363 s Aug 7 10:26:11 bastion LinuxCommandsWazuh: User ubuntu [97918]: 364 ls Aug 7 10:26:13 bastion LinuxCommandsWazuh: User ubuntu [97918]: 365 cat recordslog.sh Aug 7 10:27:19 bastion LinuxCommandsWazuh: User ubuntu [97918]: 365 cat recordslog.sh Aug 7 10:27:32 bastion LinuxCommandsWazuh: User ubuntu [97918]: 366 LOG_FOLDER="/etc/records/" Aug 7 10:27:39 bastion LinuxCommandsWazuh: User ubuntu [97918]: 367 LATEST_FILES=$(ls -1t "${LOG_FOLDER}${USER}_*" | head -n 2) Aug 7 10:27:48 bastion LinuxCommandsWazuh: User ubuntu [97918]: 368 LATEST_FILES=$(ls -1t "${LOG_FOLDER}${USER}-*" | head -n 2) Aug 7 10:28:17 bastion LinuxCommandsWazuh: User ubuntu [97918]: 369 LATEST_FILES=$(sudo ls -1t "${LOG_FOLDER}${USER}-*" | head -n 2) Aug 7 10:28:36 bastion LinuxCommandsWazuh: User ubuntu [97918]: 370 LATEST_FILES=$(sudo ls -1t "${LOG_FOLDER}${USER}_*" | head -n 2) Aug 7 10:28:55 bastion LinuxCommandsWazuh: User ubuntu [97918]: 371 ls -1t ${USER}_* | head -n 2 Aug 7 10:29:14 bastion LinuxCommandsWazuh: User ubuntu [97918]: 372 ls -1t /etc/records/${USER}_* | head -n 2 Aug 7 10:29:29 bastion LinuxCommandsWazuh: User ubuntu [97918]: 372 ls -1t /etc/records/${USER}_* | head -n 2 Aug 7 10:29:47 bastion LinuxCommandsWazuh: User ubuntu [97918]: 373 USER=$WHOAMI Aug 7 10:29:59 bastion LinuxCommandsWazuh: User ubuntu [97918]: 374 echo $USER Aug 7 10:30:07 bastion LinuxCommandsWazuh: User ubuntu [97918]: 375 USER=whoami Aug 7 10:30:09 bastion LinuxCommandsWazuh: User ubuntu [97918]: 376 echo $USER Aug 7 10:30:29 bastion LinuxCommandsWazuh: User ubuntu [97918]: 377 USER=$(whoami) Aug 7 10:30:30 bastion LinuxCommandsWazuh: User ubuntu [97918]: 378 echo $USER Aug 7 10:30:34 bastion LinuxCommandsWazuh: User ubuntu [97918]: 379 LATEST_FILES=$(sudo ls -1t "${LOG_FOLDER}${USER}_*" | head -n 2) Aug 7 10:30:53 bastion LinuxCommandsWazuh: User ubuntu [97918]: 380 (sudo ls -1t "${LOG_FOLDER}${USER}_*" | head -n 2 Aug 7 10:30:57 bastion LinuxCommandsWazuh: User ubuntu [97918]: 381 sudo ls -1t "${LOG_FOLDER}${USER}_*" | head -n 2 Aug 7 10:31:24 bastion LinuxCommandsWazuh: User ubuntu [97918]: 382 echo $LOG_FOLDER Aug 7 10:31:36 bastion LinuxCommandsWazuh: User ubuntu [97918]: 382 echo $LOG_FOLDER Aug 7 10:31:37 bastion LinuxCommandsWazuh: User ubuntu [97918]: 383 ls -1t /etc/records/${USER}_* | head -n 2 Aug 7 10:31:46 bastion LinuxCommandsWazuh: User ubuntu [97918]: 384 sudo ls -1t "${LOG_FOLDER}${USER}_*" | head -n 2 Aug 7 10:44:12 bastion LinuxCommandsWazuh: User ubuntu [97918]: 384 sudo ls -1t "${LOG_FOLDER}${USER}_*" | head -n 2 Aug 7 10:44:12 bastion LinuxCommandsWazuh: message repeated 2 times: [ User ubuntu [97918]: 384 sudo ls -1t "${LOG_FOLDER}${USER}_*" | head -n 2] Aug 7 10:51:56 bastion LinuxCommandsWazuh: User ubuntu [97918]: 385 sudo usermod -aG recordusers root Aug 7 10:51:59 bastion LinuxCommandsWazuh: User ubuntu [97918]: 386 sudo ls -1t "${LOG_FOLDER}${USER}_*" | head -n 2 Aug 7 10:52:15 bastion LinuxCommandsWazuh: User ubuntu [97918]: 387 sudo ls -1t "/etc/records/${USER}_*" | head -n 2 Aug 7 10:52:24 bastion LinuxCommandsWazuh: User ubuntu [97918]: 388 sudo ls -1t /etc/records/${USER}_* | head -n 2 Aug 7 10:52:31 bastion LinuxCommandsWazuh: User ubuntu [97918]: 389 sudo ls -1t ${LOG_FOLDER}${USER}_* | head -n 2 Aug 7 10:53:44 bastion LinuxCommandsWazuh: User ubuntu [97918]: 390 FILES_TO_KEEP=$(echo "$LATEST_FILES" | xargs -n 1 basename | tr '\n' ' ') Aug 7 10:53:46 bastion LinuxCommandsWazuh: User ubuntu [97918]: 390 FILES_TO_KEEP=$(echo "$LATEST_FILES" | xargs -n 1 basename | tr '\n' ' ') Aug 7 10:53:59 bastion LinuxCommandsWazuh: User ubuntu [97918]: 391 LATEST_FILES=$(sudo ls -1t ${LOG_FOLDER}${USER}_* | head -n 2) Aug 7 10:54:01 bastion LinuxCommandsWazuh: User ubuntu [97918]: 392 FILES_TO_KEEP=$(echo "$LATEST_FILES" | xargs -n 1 basename | tr '\n' ' ') Aug 7 10:54:07 bastion LinuxCommandsWazuh: User ubuntu [97918]: 393 echo $FILES_TO_KEEP Aug 7 10:54:31 bastion LinuxCommandsWazuh: User ubuntu [97918]: 394 sudo find "$LOG_FOLDER" -type f ! -name "$(echo $FILES_TO_KEEP | tr ' ' ' -name ' -name ')" -exec rm -f {} + Aug 7 11:02:11 bastion LinuxCommandsWazuh: User ubuntu [97918]: 395 for FILE in $(sudo ls "$LOG_FOLDER"); do if ! echo "$FILES_TO_KEEP" | grep -qw "$FILE"; then sudo rm -f "$LOG_FOLDER/$FILE"; fi; done Aug 7 11:02:16 bastion LinuxCommandsWazuh: User ubuntu [97918]: 396 cd /etc/records/ Aug 7 11:02:16 bastion LinuxCommandsWazuh: User ubuntu [97918]: 397 l Aug 7 11:02:29 bastion LinuxCommandsWazuh: User ak [98709]: 88 exit Aug 7 11:02:31 bastion LinuxCommandsWazuh: User ak [98709]: 89 ls Aug 7 11:02:35 bastion LinuxCommandsWazuh: User ubuntu [97918]: 398 ls Aug 7 11:02:38 bastion LinuxCommandsWazuh: User ubuntu [97918]: 399 for FILE in $(sudo ls "$LOG_FOLDER"); do if ! echo "$FILES_TO_KEEP" | grep -qw "$FILE"; then sudo rm -f "$LOG_FOLDER/$FILE"; fi; done Aug 7 11:02:39 bastion LinuxCommandsWazuh: User ubuntu [97918]: 400 ls Aug 7 11:02:52 bastion LinuxCommandsWazuh: User ubuntu [97918]: 401 cd Aug 7 11:02:53 bastion LinuxCommandsWazuh: User ubuntu [97918]: 402 s Aug 7 11:02:54 bastion LinuxCommandsWazuh: User ubuntu [97918]: 403 cd Aug 7 11:02:54 bastion LinuxCommandsWazuh: User ubuntu [97918]: 404 ls Aug 7 11:02:56 bastion LinuxCommandsWazuh: User ubuntu [97918]: 405 cd bin Aug 7 11:02:57 bastion LinuxCommandsWazuh: User ubuntu [97918]: 406 ls Aug 7 11:03:03 bastion LinuxCommandsWazuh: User ubuntu [97918]: 407 > recordslog.sh Aug 7 11:03:06 bastion LinuxCommandsWazuh: User ubuntu [97918]: 408 sudo > recordslog.sh Aug 7 11:03:21 bastion LinuxCommandsWazuh: User ubuntu [97918]: 409 sudo vi recordslog.sh Aug 7 11:03:30 bastion LinuxCommandsWazuh: User ubuntu [97918]: 410 sudo ./recordslog.sh Aug 7 11:25:16 bastion LinuxCommandsWazuh: User ubuntu [97918]: 411 ./recordslog.sh Aug 7 11:25:34 bastion LinuxCommandsWazuh: User ubuntu [97918]: 412 sudo vi recordslog.sh Aug 7 11:25:37 bastion LinuxCommandsWazuh: User ubuntu [97918]: 413 ./recordslog.sh Aug 7 11:25:58 bastion LinuxCommandsWazuh: User ubuntu [97918]: 414 sudo vi recordslog.sh Aug 7 11:26:01 bastion LinuxCommandsWazuh: User ubuntu [97918]: 415 ./recordslog.sh Aug 7 11:26:10 bastion LinuxCommandsWazuh: User ubuntu [97918]: 416 cd /etc/records Aug 7 11:26:10 bastion LinuxCommandsWazuh: User ubuntu [97918]: 417 ls Aug 7 11:26:11 bastion LinuxCommandsWazuh: User ubuntu [97918]: 418 cd Aug 7 11:26:12 bastion LinuxCommandsWazuh: User ubuntu [97918]: 418 cd Aug 7 11:26:12 bastion LinuxCommandsWazuh: User ubuntu [97918]: 419 ls Aug 7 11:26:15 bastion LinuxCommandsWazuh: User ubuntu [97918]: 419 ls Aug 7 11:26:16 bastion LinuxCommandsWazuh: User ubuntu [97918]: 420 cd .. Aug 7 11:26:16 bastion LinuxCommandsWazuh: User ubuntu [97918]: 421 ls Aug 7 11:26:22 bastion LinuxCommandsWazuh: User ubuntu [97918]: 422 cd /etc/records Aug 7 11:26:23 bastion LinuxCommandsWazuh: User ubuntu [97918]: 423 ls Aug 7 11:26:24 bastion LinuxCommandsWazuh: User ubuntu [97918]: 424 cd .. Aug 7 11:26:25 bastion LinuxCommandsWazuh: User ubuntu [97918]: 425 ls Aug 7 11:26:41 bastion LinuxCommandsWazuh: User ubuntu [97918]: 426 rm -r records_2024-08-07_11-25-14/ Aug 7 11:26:44 bastion LinuxCommandsWazuh: User ubuntu [97918]: 427 sudo rm -r records_2024-08-07_11-25-14/ Aug 7 11:26:49 bastion LinuxCommandsWazuh: User ubuntu [97918]: 428 sudo rm -r records_2024-08-07_11-25-35/ Aug 7 11:26:53 bastion LinuxCommandsWazuh: User ubuntu [97918]: 429 sudo rm -r records_2024-08-07_11-25-59/ Aug 7 11:26:55 bastion LinuxCommandsWazuh: User ubuntu [97918]: 430 ls Aug 7 11:33:32 bastion LinuxCommandsWazuh: User ubuntu [97918]: 430 ls Aug 7 11:33:32 bastion LinuxCommandsWazuh: message repeated 2 times: [ User ubuntu [97918]: 430 ls] Aug 7 11:33:34 bastion LinuxCommandsWazuh: User ubuntu [97918]: 431 cd records/ Aug 7 11:33:34 bastion LinuxCommandsWazuh: User ubuntu [97918]: 432 ls Aug 7 11:33:39 bastion LinuxCommandsWazuh: User ubuntu [99608]: 354 exit Aug 7 11:33:45 bastion LinuxCommandsWazuh: User ak [99699]: exit Aug 7 11:33:51 bastion LinuxCommandsWazuh: User ubuntu [97918]: 432 ls Aug 7 11:33:52 bastion LinuxCommandsWazuh: message repeated 2 times: [ User ubuntu [97918]: 432 ls] Aug 7 11:33:57 bastion LinuxCommandsWazuh: User ubuntu [99802]: 433 exit Aug 7 11:34:00 bastion LinuxCommandsWazuh: User ubuntu [99802]: 434 cd /etc/records/ Aug 7 11:34:01 bastion LinuxCommandsWazuh: User ubuntu [99802]: 435 ls Aug 7 11:34:22 bastion LinuxCommandsWazuh: User ubuntu [99802]: 436 mkdir -p /etc/records_new Aug 7 11:34:26 bastion LinuxCommandsWazuh: User ubuntu [99802]: 437 sudo mkdir -p /etc/records_new Aug 7 11:34:34 bastion LinuxCommandsWazuh: User ubuntu [99802]: 437 sudo mkdir -p /etc/records_new Aug 7 11:34:48 bastion LinuxCommandsWazuh: User ubuntu [99802]: 438 sudo cp -r /etc/records /etc/records_new/ Aug 7 11:34:51 bastion LinuxCommandsWazuh: User ubuntu [99802]: 439 cd .. Aug 7 11:34:51 bastion LinuxCommandsWazuh: User ubuntu [99802]: 440 ls Aug 7 11:35:04 bastion LinuxCommandsWazuh: User ubuntu [99802]: 441 cd records Aug 7 11:35:18 bastion LinuxCommandsWazuh: User ubuntu [99802]: 442 LATEST_FILES=$(sudo ls -1t ${LOG_FOLDER}${USER}_* | head -n 2) Aug 7 11:36:00 bastion LinuxCommandsWazuh: User ubuntu [99802]: 443 LATEST_FILES=$(sudo ls -1t /etc/records/$whoami_* | head -n 2) Aug 7 11:36:08 bastion LinuxCommandsWazuh: User ubuntu [99802]: 444 echo $LATEST_FILES Aug 7 11:36:19 bastion LinuxCommandsWazuh: User ubuntu [99802]: 445 FILES_TO_KEEP=$(echo "$LATEST_FILES" | xargs -n 1 basename | tr '\n' ' ') Aug 7 11:36:32 bastion LinuxCommandsWazuh: User ubuntu [99802]: 446 echo $FILES_TO_KEEP Aug 7 11:36:45 bastion LinuxCommandsWazuh: User ubuntu [99802]: 447 for FILE in $(sudo ls "$LOG_FOLDER"); do if ! echo "$FILES_TO_KEEP" | grep -qw "$FILE"; then sudo rm -f "$LOG_FOLDER/$FILE"; fi; done Aug 7 11:37:02 bastion LinuxCommandsWazuh: User ubuntu [99802]: 448 for FILE in $(sudo ls /etc/records); do if ! echo "$FILES_TO_KEEP" | grep -qw "$FILE"; then sudo rm -f "$LOG_FOLDER/$FILE"; fi; done Aug 7 11:37:04 bastion LinuxCommandsWazuh: User ubuntu [99802]: 449 ls Aug 7 11:37:46 bastion LinuxCommandsWazuh: User ubuntu [99802]: 450 for FILE in $(sudo ls /etc/records); do if ! echo "$FILES_TO_KEEP" | grep -qw "$FILE"; then sudo rm -f /etc/records/$FILE; fi; done Aug 7 11:37:47 bastion LinuxCommandsWazuh: User ubuntu [99802]: 451 ls Aug 7 11:38:24 bastion LinuxCommandsWazuh: User ubuntu [99802]: 452 gcloud auth activate-service-account --key-file=/home/ubuntu/bin/service.json Aug 7 11:38:30 bastion LinuxCommandsWazuh: User ubuntu [99802]: 452 gcloud auth activate-service-account --key-file=/home/ubuntu/bin/service.json Aug 7 11:48:29 bastion LinuxCommandsWazuh: User ubuntu [99802]: 452 gcloud auth activate-service-account --key-file=/home/ubuntu/bin/service.json Aug 7 11:48:30 bastion LinuxCommandsWazuh: User ubuntu [99802]: 453 ls Aug 7 11:48:31 bastion LinuxCommandsWazuh: User ubuntu [99802]: 454 cd Aug 7 11:48:31 bastion LinuxCommandsWazuh: User ubuntu [99802]: 455 ls Aug 7 11:48:36 bastion LinuxCommandsWazuh: User ubuntu [99802]: 456 cd bin Aug 7 11:48:36 bastion LinuxCommandsWazuh: User ubuntu [99802]: 457 ls Aug 7 11:48:47 bastion LinuxCommandsWazuh: User ubuntu [99802]: 458 sudo vi recordslog.sh Aug 7 11:48:51 bastion LinuxCommandsWazuh: User ubuntu [100279]: 459 exit Aug 7 11:48:53 bastion LinuxCommandsWazuh: User ubuntu [100279]: 460 cd bin Aug 7 11:48:58 bastion LinuxCommandsWazuh: User ubuntu [100279]: 461 ./recordslog.sh Aug 7 11:49:06 bastion LinuxCommandsWazuh: User ubuntu [100279]: 462 sudo vi recordslog.sh Aug 7 11:49:12 bastion LinuxCommandsWazuh: User ubuntu [100279]: 463 ./recordslog.sh Aug 7 11:49:18 bastion LinuxCommandsWazuh: User ubuntu [100279]: 464 cd /etc/records Aug 7 11:49:19 bastion LinuxCommandsWazuh: User ubuntu [100279]: 465 ls Aug 7 11:52:16 bastion LinuxCommandsWazuh: User ubuntu [100279]: 466 crontab -e Aug 7 11:52:17 bastion LinuxCommandsWazuh: User ubuntu [100279]: 467 ls Aug 7 11:52:21 bastion LinuxCommandsWazuh: User ubuntu [100279]: 468 cd /bin Aug 7 11:52:22 bastion LinuxCommandsWazuh: User ubuntu [100279]: 469 ls Aug 7 11:52:26 bastion LinuxCommandsWazuh: User ubuntu [100279]: 470 cd /home/ubuntu/bin/ Aug 7 11:52:26 bastion LinuxCommandsWazuh: User ubuntu [100279]: 471 ls Aug 7 11:53:58 bastion LinuxCommandsWazuh: User ubuntu [100279]: 472 crontab -e Aug 7 11:56:47 bastion LinuxCommandsWazuh: User ubuntu [100279]: 473 sudo vi recordslog.sh Aug 7 11:56:53 bastion LinuxCommandsWazuh: User ubuntu [100279]: 474 ./recordslog.sh Aug 7 12:43:47 bastion LinuxCommandsWazuh: User shobhit [101642]: 25 exit Aug 7 12:44:04 bastion LinuxCommandsWazuh: User shobhit [101737]: 25 exit Aug 7 23:01:20 bastion LinuxCommandsWazuh: User shobhit [107301]: 25 exit