惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
S
Securelist
P
Privacy & Cybersecurity Law Blog
Scott Helme
Scott Helme
T
Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
量子位
博客园 - Franky
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Latest news
Latest news
T
Troy Hunt's Blog
N
News | PayPal Newsroom
Google Online Security Blog
Google Online Security Blog
Apple Machine Learning Research
Apple Machine Learning Research
N
Netflix TechBlog - Medium
小众软件
小众软件
P
Palo Alto Networks Blog
Spread Privacy
Spread Privacy
C
Cyber Attacks, Cyber Crime and Cyber Security
C
Check Point Blog
aimingoo的专栏
aimingoo的专栏
WordPress大学
WordPress大学
L
Lohrmann on Cybersecurity
L
LINUX DO - 最新话题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Last Watchdog
The Last Watchdog
S
Security @ Cisco Blogs
P
Privacy International News Feed
Last Week in AI
Last Week in AI
Microsoft Security Blog
Microsoft Security Blog
T
Tailwind CSS Blog
博客园_首页
云风的 BLOG
云风的 BLOG
V
Vulnerabilities – Threatpost
D
DataBreaches.Net
Recent Announcements
Recent Announcements
酷 壳 – CoolShell
酷 壳 – CoolShell
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
罗磊的独立博客
Engineering at Meta
Engineering at Meta
Forbes - Security
Forbes - Security
T
Tenable Blog

DigitalOcean Community Tutorials

Mastering grep with Regular Expressions for Efficient Text Search It's Time to Break Up with Your Cloud: Why AI Teams are Switching We Built a Private-Document AI App to Test Platform Security. Here Is What We Could Actually Verify. PostgreSQL Explained: A Complete Beginner-to-Advanced Guide How To Install and Configure Postfix on Ubuntu How To Build a Web Application Using Flask in Python 3 Build AI Reading List with DigitalOcean Functions and Mistral How To Concatenate Strings in Python How to Allow MySQL Remote Access Securely How To Install and Use Docker on Rocky Linux How To Build a Multi-Agent AI System with Docker Agent DSPy Use Cases: Build Optimized LLM Pipelines How To Submit AJAX Forms with jQuery Build an AI-Powered GPU Fleet Optimizer with the DigitalOcean AI Platform ADK Monitor GPU Utilization in Real Time: A Complete Guide Reduce File Size of Images in Linux - CLI and GUI methods Reduce PDF File Size in Linux: Tools and Methods How To Set Up a Private Docker Registry on Ubuntu How To Troubleshoot Terraform: Errors and Fixes How to Use Go Modules Python Multiprocessing Example: Process, Pool & Queue Convert Class Components to Functional Components with React Hooks How To Install and Configure Ansible on Ubuntu LLM Tokenizers Simplified: BPE, SentencePiece, and More How to Use Traceroute and MTR to Diagnose Network Issues How to Deploy Postgres to Kubernetes Cluster Importing Packages in Go: A Complete Guide Create RAID Arrays with mdadm on Ubuntu How To Make an HTTP Server in Go How To Set Up Time Synchronization on Ubuntu How To Use Struct Tags in Go apt-key Deprecation: Add Repositories with GPG on Ubuntu Linux ps Command: 20 Real-World Examples Python struct.pack and struct.unpack for Binary Data Deadlock in Java: Examples, Detection, and Prevention How To Use Find and Locate to Search for Files on Linux Structured Resume Skill Extraction Using Mistral-7B Inference How to Use the Python Main Function How to Set Up NemoClaw on a DigitalOcean Droplet with 1-Click Build an End-to-End RAG Pipeline for LLM Applications From Single to Multi-Agent Systems: Key Infrastructure Needs Back Up Data to Object Storage Using Restic How to Generate Videos with LTX-2.3 on DigitalOcean GPU Droplets How To Install LAMP Stack (Apache, MySQL, PHP) on Ubuntu How to Download Files with cURL How To Use Variadic Functions in Go Generate UUIDs with uuidgen on Linux How To Use EJS to Template Your Node Application How to Install Node.js on Ubuntu (Step-by-Step Guide) MongoDB Indexes: Improve Query Performance with Node.js LLM Tool Calling with DigitalOcean AI Platform and Databases What are Text Diffusion Models? - An Overview Crafting a Game from Scratch with GPT-5.4 Building Long-Term Memory in AI Agents with LangGraph and Mem0 How To Install PHP 7.4 and Set Up a Local Development Environment on Ubuntu 20.04 Build a GraphQL API in Go to Upload Files to Spaces How To Lint and Format Code with ESLint in Visual Studio Code Train YOLO26 for Retail Object Detection on DigitalOcean GPUs How To Work with JSON in MySQL How to Use the JavaScript .map() Method Building a Scalable App with MongoDB Using DigitalOcean's MCP Server How to Create an SSH Key in Linux: Easy Step-by-Step Guide Measure MySQL Query Performance with mysqlslap How To Use *args and **kwargs in Python 3 Nemotron 3 helped me find the perfect dish rack? A2A vs MCP - How These AI Agent Protocols Actually Differ How To Install and Manage Supervisor Docker Container Images with Watchtower on Ubuntu Getting Started with Qwen3.5 Vision-Language Models How To Create a New Sudo-Enabled User on Ubuntu How to Use Ansible to Install and Set Up Docker on Ubuntu How To Enable Remote Desktop Protocol Using xrdp on Ubuntu 22.04 How To Convert a String to a List in Python How To Check If a String Contains Another String in Python How to Read a Properties File in Python Python Command Line Arguments: sys.argv, argparse, getopt Mastering Grep command in Linux/Unix: A Beginner's Tutorial Understanding Python Data Types How to Implement a Stack in C With Code Examples Python os.system() vs subprocess: Run System Commands How To Install and Use Docker Compose on Ubuntu How to Add and Delete Users on Ubuntu How To Order Query Results in Laravel Eloquent How To Define and Use Handlers in Ansible Playbooks How To Install and Use SQLite on Ubuntu How To Install and Use Homebrew on macOS How To Manage DateTime with Carbon in Laravel and PHP How To Install Git on Ubuntu How To Install and Secure Redis on Ubuntu How To Build and Install Go Programs on Linux Using ldflags to Set Version Information for Go Applications How To Build a Node.js Application with Docker How To Add JavaScript to HTML How To Reset Your MySQL or MariaDB Root Password How To Add Images in Markdown How To Set Up a Production Elasticsearch Cluster with Ansible How To Set Up a Firewall Using firewalld on CentOS Understanding Systemd Units and Unit Files How To Set Up Replication in MySQL How To Use the .htaccess File
How To Monitor System Authentication Logs on Ubuntu
Anish Singh Walia · 2026-03-26 · via DigitalOcean Community Tutorials

Monitoring system authentication logs on Ubuntu helps you spot stolen passwords, SSH brute force attempts, and unexpected sudo use. This guide shows where those records live, how to read them with classic files and journalctl, and how to pair filtering with fail2ban and firewall basics.

This tutorial was validated on Ubuntu 24.04 LTS and Ubuntu 22.04 LTS. Commands should also work on newer Ubuntu releases that use systemd.

You can follow along on a recent Ubuntu LTS server. If you need a fresh host, complete Initial Server Setup with Ubuntu first.

Key takeaways

  • Ubuntu typically writes privileged authentication events to /var/log/auth.log and also stores structured copies in systemd journals (query with journalctl).
  • last and lastlog summarize login history using /var/log/wtmp and /var/log/lastlog, not the old incorrect paths under /etc/log/.
  • PAM lines in auth.log describe session open and close events; failed password attempts and sudo denials are separate high-signal patterns to watch.
  • grep, awk, and time-bounded journalctl queries are the usual way to hunt for SSH abuse and privilege escalation before you add fail2ban or centralized logging.

Where Ubuntu stores authentication logs

auth.log and the logging pipeline

On most Ubuntu servers, rsyslog receives syslog messages and writes security-related lines to /var/log/auth.log. The Pluggable Authentication Modules (PAM) stack decides whether a login or sudo request succeeds; PAM and SSH then emit syslog lines that rsyslog routes into that file.

systemd-journald also captures the same services. That means you can inspect recent events with either plain text files or journalctl, depending on which tool fits your workflow.

On Ubuntu 24.04 and 22.04, /var/log/auth.log is present when rsyslog is installed and running. On minimal images, auth.log may not exist. In that case, use journalctl (next section), or install rsyslog:

ls -l /var/log/auth.log
sudo systemctl status rsyslog
sudo apt update
sudo apt install rsyslog
sudo systemctl enable --now rsyslog

auth.log compared to syslog

Log Typical role
/var/log/auth.log SSH, sudo, PAM, and login-related lines
/var/log/syslog Broader daemon traffic; overlap depends on rsyslog rules

If you need the full story for a time window, start with auth.log for security-relevant lines, then widen to syslog when you troubleshoot services that are not strictly authentication.

Binary login databases

Tools such as last read /var/log/wtmp (not /etc/log/wtmp). The lastlog command reads /var/log/lastlog (not /etc/log/lastlog). Those paths are easy to mistype; the correct locations live under /var/log/.

Review authentication attempts in auth.log

To page through the authorization log:

sudo less /var/log/auth.log

Example lines (your hostnames and times will differ):

May  3 18:20:45 host sshd[585]: Server listening on 0.0.0.0 port 22.
May  3 18:23:56 host login[673]: pam_unix(login:session): session opened for root
Sep  5 13:49:07 host sshd[358]: Received signal 15; terminating.

Press q to quit less.

Viewing authentication logs in real time

Follow new events as they arrive:

sudo tail -f /var/log/auth.log

Stop with Ctrl+C. This is the quickest way to watch a live SSH attack or test whether your key-based login produces the lines you expect.

Reading authentication events with journalctl

journalctl reads the systemd journal. It shines when you want systemd units, boots, or compact time ranges. For SSH on Ubuntu, the service is usually named ssh:

journalctl -u ssh

You can also filter by unit explicitly:

journalctl _SYSTEMD_UNIT=ssh.service

If journalctl -u ssh returns no entries, confirm the unit name on your system. Some distributions use sshd instead:

sudo systemctl status ssh
sudo systemctl status sshd

Limit output to the last hour or day:

journalctl -u ssh --since "1 hour ago"
journalctl -u ssh --since today

For a deeper guide to options, filters, and export patterns, read How To Use journalctl To View and Manipulate Systemd Logs.

How to use the last command

last shows recent logins and reboots using data in /var/log/wtmp:

last

Example output:

demoer   pts/1        203.0.113.10 Thu Sep  5 19:37   still logged in
root     pts/0        203.0.113.10 Thu Sep  5 19:15   still logged in

The still logged in marker means a session is active. Closed sessions show start and end times.

How to use the lastlog command

lastlog prints the most recent login per local user by combining /var/log/lastlog with /etc/passwd:

lastlog

System accounts often show Never logged in, which is expected when those accounts are not used for interactive login.

Detecting failed logins and SSH brute force activity

Failed SSH password attempts usually contain Failed password or authentication failure, depending on configuration. Quick checks:

sudo grep "Failed password" /var/log/auth.log
sudo grep "authentication failure" /var/log/auth.log

Or with the journal:

journalctl -u ssh --since today | grep -i "failed"

A sustained burst of failures from one address is a strong sign of automated brute force traffic. Pair log review with network controls: How To Set Up a Firewall with UFW on Ubuntu explains host-level filtering on your Droplet.

Tracking privilege escalation with sudo and su

sudo and su both emit lines you can track.

Common patterns:

sudo grep "sudo:" /var/log/auth.log
sudo grep "COMMAND=" /var/log/auth.log
sudo grep -E "su\[|su:" /var/log/auth.log

COMMAND= appears in many sudo configurations and records which binary ran. Investigate unexpected users, hosts, or binaries immediately.

Understanding PAM log entries

PAM sits between applications such as sshd and your account database. A typical session line looks like this:

May  3 18:23:56 host sshd[12345]: pam_unix(sshd:session): session opened for demoer

Rough field map:

  • Timestamp and host: when and where the event occurred.
  • Process: sshd with a PID in brackets.
  • PAM stack and result: pam_unix or other modules, plus session opened or session closed.
  • Subject: which Unix user gained a session.

Authentication failures often show auth failure, Failed password, or authentication failure rather than a session open. Pair PAM context with SSH messages so you do not confuse a successful session with a failed password.

Parsing and filtering logs with grep and awk

grep is enough for many hunts:

sudo grep -E "sshd|sudo|su" /var/log/auth.log | tail -n 50

awk helps when columns matter:

sudo awk '/Failed password/ {print $0}' /var/log/auth.log

Add /etc/passwd and group lookups only when you need to map UIDs to names; the logs usually print names directly.

Automating brute force prevention with fail2ban

fail2ban watches auth.log (or the journal, depending on backend) and updates firewall rules after repeated failures.

Install and enable the service:

sudo apt update
sudo apt install fail2ban
sudo systemctl enable --now fail2ban

A minimal jail for SSH often lives in /etc/fail2ban/jail.d/defaults-debian.conf or a custom file under /etc/fail2ban/jail.d/. Ensure the sshd jail is enabled = true, then check status:

sudo fail2ban-client status
sudo fail2ban-client status sshd

For a full walkthrough with ban times and mail actions, follow How To Protect SSH with Fail2Ban on Ubuntu 22.04. Combine it with UFW so both network policy and automated bans align.

Managing authentication log retention with logrotate

Ubuntu rotates /var/log/auth.log through logrotate, commonly driven from /etc/logrotate.d/rsyslog. Typical settings compress old files and keep several weeks on disk, but vendors change defaults, so always read the active file:

cat /etc/logrotate.d/rsyslog

For background on rotation concepts, see How To Manage Logfiles With Logrotate on Ubuntu 16.04 (the ideas apply to current releases even though the title references 16.04).

Forwarding authentication logs

Production teams often ship auth logs to a central SIEM or backup cluster. At a high level you can:

  • Use journald forwarding or rsyslog rules to relay syslog facilities to a remote collector.
  • Export snapshots with journalctl when you only need an evidence bundle.

For Linux-wide logging concepts on Ubuntu, read How To View and Configure Linux Logs on Ubuntu and CentOS. Wire transport security (VPN or TLS) before you send logs across the public internet.

Quick reference: authentication log monitoring commands

Task Command idea
Page through auth log sudo less /var/log/auth.log
Live tail sudo tail -f /var/log/auth.log
SSH unit journal journalctl -u ssh --since "1 hour ago"
Failed passwords sudo grep "Failed password" /var/log/auth.log
sudo activity sudo grep "COMMAND=" /var/log/auth.log
Recent logins last
Per-user last login lastlog
fail2ban status sudo fail2ban-client status sshd

Frequently asked questions

1. Where is the authentication log file located on Ubuntu?

The primary text file is /var/log/auth.log on default Ubuntu images that use rsyslog. Always confirm with ls -l /var/log/auth.log on your own host.

2. What is the difference between auth.log and syslog on Ubuntu?

auth.log focuses on authentication and privilege events. /var/log/syslog collects a wider slice of daemon and system messages. Overlap depends on rsyslog rules, but security reviews usually start in auth.log.

3. How do I check who logged into my Ubuntu server?

Run last for interactive sessions, lastlog for per-account summaries, and search auth.log or journalctl -u ssh when you need the exact SSH event stream.

4. How do I detect an SSH brute force attack on Ubuntu?

Look for bursts of Failed password or authentication failure messages from similar time windows and source IPs. Combine log review with UFW rules and fail2ban jails.

5. Does Ubuntu 24.04 still use auth.log?

Yes, when rsyslog is installed and running. Ubuntu also stores authentication events in the systemd journal, so journalctl queries work even if auth.log is missing on a minimal image.

6. How do I stop repeated failed login attempts automatically?

Install and configure fail2ban so repeated failures trigger temporary bans. Harden SSH (keys, non-default port, AllowUsers) in parallel.

7. How long does Ubuntu keep auth.log data by default?

Retention depends on logrotate settings and disk space. Inspect /etc/logrotate.d/rsyslog and archived files such as /var/log/auth.log.* to see how many rotated copies remain on your server.

8. How do I track sudo command usage on Ubuntu?

Search for sudo: and COMMAND= in /var/log/auth.log, and review journalctl output if sudo logging targets the journal on your image.

Conclusion

When you monitor system authentication logs on Ubuntu, you combine file paths, journal queries, and simple text filters to understand who accessed the host and whether privilege use looks normal. Layer automation with fail2ban, firewall rules, and centralized forwarding as your environment matures.

To manage accounts referenced in those logs, see How To Add and Delete Users on Ubuntu or How To Create a New Sudo-Enabled User on Ubuntu.

Continue with DigitalOcean

Ship monitoring that matches your team size. DigitalOcean Monitoring adds graphs and alerting for Droplets and supported services so you notice CPU, memory, and disk issues around the same time you review auth trails. For always-on workloads, Droplets give you full Linux control to tune SSH, fail2ban, and rsyslog exactly how your security team expects.

Creative CommonsThis work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License.