This uses the older history style for monitoring commands. For the newer and better way use AduitD.
Till the TA gets released, this needs to be added to the master .bashrc generally under /etc/profile.d
PROMPT_COMMAND='history -a'
export HISTCONTROL=
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo -e $$\\t$USER\\t$SSH_CONNECTION\\t$HOSTNAME\\tscreen $WINDOW\\t`date +%D%t%T%t%Y%t%s`\\t$PWD"$(history 1)" >> ~/.bash_eternal_history'
[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u \w]\\$ "
if [ "x$SHLVL" != "x1" ]; then # We're not a login shell
for i in /etc/profile.d/*.sh; do
if [ -r "$i" ]; then
. $i
fi
done
fi
shopt -s histappend
In Splunk you can create your own expression or use this one for being able to search the content.