We frequently use the history command in our daily routine jobs to check the history of commands or to get information about commands executed by users.
In this post, we will see how we can use the history command effectively to extract the commands that were executed by users in the Bash shell. This may be useful for audit purposes or to find out which command was executed at a specific date and time.
By default, the date and timestamp won’t be visible when executing the history command. However, the bash shell provides command-line interface (CLI) tools for editing the user’s command history.
Let’s explore some useful tips, tricks, and the power of the history command.
1. List All Last Executed Commands in Linux
To view the complete list of the last executed commands along with their line numbers, use the following command.
history
2. List All Commands with Date and Timestamp
To list all commands with their date and timestamp in Linux, you can use the history command along with the HISTTIMEFORMAT environment variable as shown.
export HISTTIMEFORMAT="%F %T "
Now, you can use the history command to list all the commands with their respective date and timestamps.
history
Here’s a breakdown of the format placeholders used in HISTTIMEFORMAT='%F %T '
:
%F
: This signifies the full date in the format “YYYY-MM-DD“.%T
: This represents the time in the format “HH:MM:SS“.
3. Ignore Commands in History
To ignore a command in the history command, you can use the "HISTIGNORE"
environment variable, which is used to specify which commands should not be recorded in the command history.
You can set it by using the "export"
command followed by the desired command to be ignored.
export HISTIGNORE='ls -l:pwd:date:'
In this example, “ls -l“, “pwd“, and “date” are specified, meaning that any commands containing these strings will not be saved in the history.
4. Ignore Duplicate Commands in History
To ignore duplicate commands in history, you can use the following command which will instruct the system to not save repeated commands in the history, which will helps in keeping the history clean and free of redundant duplicate entries.
export HISTCONTROL=ignoredups
The option ignoredups
tells the system to ignore duplicate commands when recording them in the history. If you execute the same command multiple times consecutively, only the first occurrence will be stored in the history.
5. Save Export Command Permanently
To save the configurations for HISTTIMEFORMAT
, HISTIGNORE
, and HISTCONTROL
permanently in your Linux environment, you can add them to your .bash_profile
file, which is executed every time you start a new shell session.
nano ~/.bash_profile
Add the following lines to the .bash_profile file to set the environment variables:
export HISTTIMEFORMAT="%F %T " export HISTIGNORE="some:commands:to:ignore" export HISTCONTROL=ignoredups
To apply the changes, either restart your terminal or run the following command in the terminal:
source ~/.bash_profile
6. Unset Export Command
To unset the settings for HISTTIMEFORMAT
and HISTCONTROL
environment variables, you can use the unset command to remove their values, which will revert these settings to their default configurations.
unset HISTTIMEFORMAT unset HISTCONTROL
After executing these commands, the timestamp display in the command history will revert to the default setting, and duplicate commands will no longer be filtered out automatically.
7. List Specific User’s Executed Commands
To list specific user’s executed commands, you can use the .bash_history
file of the user, which stores the history of commands executed in the Bash shell.
sudo cat /home/username/.bash_history
If you want to filter the command history based on a specific pattern, use the grep command along with the commands containing the word as shown.
sudo cat /home/username/.bash_history | grep "ls"
8. Disable Storing History of Commands
To disable the storing of command history in Linux, you can unset the HISTFILE
variable, which is responsible for maintaining the history of commands in a file.
unset HISTFILE
By unsetting the HISTFILE
variable, you prevent the system from storing command history, ensuring that commands executed in the terminal are not recorded for future sessions.
It’s important to note that this change will only apply to the current session and will not persist across different terminal sessions. If you want to make this change permanent, you can consider updating your shell’s configuration .bash_profile
file to unset the HISTFILE
variable upon each login.
9. Delete or Clear History of Commands
You can use the up and down arrow keys to see previously used commands, which can be helpful or annoying. To delete or clear all the entries from the bash history list, you can use the '-c'
option.
history -c
To clear the command history for all users, you can delete or truncate the history file located at /home/[username]/.bash_history
for each user.
> /home/[username]/.bash_history OR rm /home/[username]/.bash_history
10. Search Commands in History Using Grep Command
To filter commands in the history command output, you can use the grep command, which will only display the commands from the history that contain the keyword as shown.
history | grep "ls" history | grep "pwd" history | grep "date"
11. Search for Recent Commands in History
To search for recent commands in the history, you can use the grep command along with containing keyword such as “ssh” from the command history.
history | grep "ssh"
You can also search for previously executed commands using the ‘Ctrl+r'
command. Once you’ve found the command you’re looking for, press ‘Enter‘ to execute it, or press ‘esc‘ to cancel.
(reverse-i-search)`source ': source .bash_profile
12. Recall Last Executed Command in History
To recall the last executed command from a specific position in the command history in Linux, you can use the history command along with a specific line number.
To view the command history with line numbers, use the history command:
history
Next, identify the line number associated with the command you want to recall, in this case, command number 8, and then recall the command using !
followed by the line number as shown.
!8
13. Recall Lastly Executed Specific Command
You can recall a previously used command, such as “netstat -np | grep 22“, by using the '!'
symbol followed by some letters from that command.
For example, if you want to recall the “netstat -np | grep 22” command, you can type '!net'
and press Enter in the terminal, which will execute the most recent command that starts with “net” from your command history.
!net
Conclusion
In conclusion, we’ve shown you the usefulness of the history command, but there’s still more to explore. We’d love to hear about your experiences with the history command!
Share them with us in the comment box below.
How I can delete history between two-time stamps.
https://askubuntu.com/questions/708906/how-to-remove-command-line-history-from-a-specific-time-period
Then again, the *only* reason to delete history between two points is to hide nefarious, embarrassing, or even illegal, activity on someone’s machine. :P
The only reason to delete history is to hide something you are doing.
How can i display the last five commands when i login like this :
How can I filter a many of commands in history? for example i don’t want to show me “ls” command in history file.
Perhaps the easiest is to just filter what you are looking *for* instead of what you are not looking for. Just a standard ‘history | grep (thing you want to find)‘ is enough? Otherwise you should be able to construct a regex in the grep to search what you want *and* ignore the ls lines found.
rember to ‘export’ that command before using it
Great stuff! I would suggest updating the title text for points 11, 12, and 13 to read: “Recall Last…”, not “Recall Lastly…” just to make the tips a bit more readable and could possibly improve search engine results. It is also proper grammar. :) Keep up the good work!
To clear (totally) all the command history of a certain user (e.g root)
1. Log-in to that user
2. cat “” > .bash_history (same as cat /dev/null > .bash_history)
3. history -c
Logout and re-login.
@Sugat,
Thanks for the tip on history command, hope it will help other Linux users..
Dear Narad,
If you allow me one suggestion. The ignoredups remove consecutive duplicates; erasedups- eliminate duplicates across the whole history.
So, if I type multiple times-but not consecutive- the same commands in bash:
1.ls -l
2.dir -a
3.ls -l- the way to remove duplicates from history is : export HISTCONTROL=erasedups.
Great work!!
Thanks!!!!!!!!!!!!!
HISTSIZE=0 is nice if you don’t want to leave traces of history increasing security, however your shell is your working tool and sometimes you need to view the commands you typed previously which you can’t with this limitation.
Consider this:
ln -s -f /dev/null ~/.bash_history
This approach will keep the history through your session and erase it when you close shell or logout
Thanks for this nice summary on the “history” command. I’ve been using the method with grep as
in paragraph 10 for years. Now I’ve upgraded my linux system and get the following:
$ history | grep pwd
Binary file (standard input) matches
Any idea what might be misconfigured, making grep consider the output of history to be binary, even
when it clearly isn’t?
Good article! Just one question: can anyone explain why all commands in the first example have the same time stamp, 2013-06-09 10:40:12 ?
Even if you cut and pasted them, commands “ping google.com” would take more than one second, would not they?
Occasionally I see the same anomaly in my history logs; I wonder if these time stamps are reliable at all?
Good question, I really want to know as well.
I am confused too
This article saved tons of my worries. I am not a linux cli expert and I am asked to configure an l2tp server. Did not know how to add iptables rules and so checking the previous commands in a different server, I was able to copy and execute the proper commands!
Cheers!
Good article, I really need this. Thanks
Hi,
I really very thankful for your post , it’s very useful for me , I am a beginner in Linux , we can delete all history using “$ history -c” command, but I want to delete my history from last 1 month, or any specified duration , how can we delete by command ,
Perhaps you could consider BASH history suggest box https://github.com/dvorka/hstr that greatly simplifies navigation through the history and its management.
Hi,
while using this commnad “export HISTSIZE=0” it wil delete all users history or related to me(the commands which has executed by me) in the global user account.
Hi,
We need the ssh session commands to be redirected to a file everytime they login.
We have added the below lines under bashrc.
HISTFILE=/var/tmp/history/$USER.$(date +%d-%m-%Y:%H:%M)
readonly HISTFILE
HISTSIZE=5000
HISTTIMEFORMAT=”%d/%m/%y %T ”
Its logging all the commands but, when we run history it shows only session history where we want that to show the complete history..
Please help. thanks in advance.
Subu.
var/log/secure provides us below information :
Mar 20 08:07:07 testing sshd[29749]: Accepted password for oracle from 10.51.1.12 port 49239 ssh2
Mar 20 08:07:07 testing sshd[29749]: pam_unix(sshd:session): session opened for user oracle by (uid=0)
Mar 20 08:12:16 testing sshd[29759]: Received disconnect from 10.51.1.12: 11: Disconnect requested by Windows SSH Client.
Mar 20 08:12:16 testing sshd[29749]: pam_unix(sshd:session): session closed for user oracle
But what commands that oracle user executed we can not get from the above information?
/home/oracle/.bash_history provides us information like this about what commands are executed:
exit
cat /home/oracle/ashfaq/Auto_Clone/Auto_Clone.sh
cat /u01/down.sh
cd /u01/oracle/inst/apps/TESTING_testing/admin/scripts/
./adstpall.sh apps/apps
./adstrtal.sh apps/apps
cat /home/oracle/ashfaq/Auto_Clone/Auto_Clone.sh
ls -ltr
cat main_exec.sh
but does not tell us that user from which IP or hostname and at what time executed these commands.
how we can store all this information in one file with time, IP, user name (root, oracle, ricky ) and commands executed by these users ?
We can modify History of command ..?
Hi
I want history like below. is it possible ?
year time command username
05/12/13 11:07:36 ls -lah
Hi Jack, of course it’s possible.
Edit your ~/.bashrc and set the line
HISTTIMEFORMAT
to:
HISTTIMEFORMAT=”%F %T “.
Exit all your terminals and now it should write a timestamp in the history file.
(Maybe you have to log out!)
Good one, I got a lot from this
Sir
I am linux trainer. these cmds are very useful
THANKYOU
WITH REGARDS
VIVEK
Thanks for #2.
5. unset export HISTCONTROL
This command unsets two variables, export and HISTCONTROL. It does not just remove HISTCONTROL from the environment; it unsets it entirely.
Yes. It’s true.
unset HISTCONTROL command is enough for deletion.