// Tutorial //

How To Monitor System Authentication Logs on Ubuntu

Published on September 5, 2013
Default avatar
By Justin Ellingwood
Developer and author at DigitalOcean.
How To Monitor System Authentication Logs on Ubuntu

How To Monitor System Logins

A fundamental component of authentication management is monitoring the system after you have configured your users.

Luckily, modern Linux systems log all authentication attempts in a discrete file. This is located at "/var/log/auth.log":

sudo less /var/log/auth.log
May  3 18:20:45 localhost sshd[585]: Server listening on 0.0.0.0 port 22.
May  3 18:20:45 localhost sshd[585]: Server listening on :: port 22.
May  3 18:23:56 localhost login[673]: pam_unix(login:session): session opened fo
r user root by LOGIN(uid=0)
May  3 18:23:56 localhost login[714]: ROOT LOGIN  on '/dev/tty1'
Sep  5 13:49:07 localhost sshd[358]: Received signal 15; terminating.
Sep  5 13:49:07 localhost sshd[565]: Server listening on 0.0.0.0 port 22.
Sep  5 13:49:07 localhost sshd[565]: Server listening on :: port 22.
. . .

How To Use the "last" Command

Usually, you will only be interested in the most recent login attempts. You can see these with the "last" tool:

last
demoer   pts/1        rrcs-72-43-115-1 Thu Sep  5 19:37   still logged in   
root     pts/1        rrcs-72-43-115-1 Thu Sep  5 19:37 - 19:37  (00:00)    
root     pts/0        rrcs-72-43-115-1 Thu Sep  5 19:15   still logged in   
root     pts/0        rrcs-72-43-115-1 Thu Sep  5 18:35 - 18:44  (00:08)    
root     pts/0        rrcs-72-43-115-1 Thu Sep  5 18:20 - 18:20  (00:00)    
demoer   pts/0        rrcs-72-43-115-1 Thu Sep  5 18:19 - 18:19  (00:00)

This gives a formated version of the "/etc/log/wtmp" file.

As you can see, in the first and third line, it shows that the user is still logged into the system. Otherwise, the total time logged into the system during a session is given by a set of hyphen-separated values.

How To Use the "lastlog" Command

If you would like to look at this situation from a different angle, you can view the last time each user on the system logged in.

This information is provided by accessing the "/etc/log/lastlog" file. It is then sorted according to the entries in the "/etc/passwd" file:

lastlog
Username         Port     From             Latest
root             pts/1    rrcs-72-43-115-1 Thu Sep  5 19:37:02 +0000 2013
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
sync                                       **Never logged in**
games                                      **Never logged in**
. . .

You can see the latest login time of every user on the system.

Notice how the system users will almost all have "**Never logged in**". We saw earlier how these accounts do not have password authentication set up, so this is the expected value.

Conclusion

User authentication on Linux is a relatively flexible area of system management. There are many ways of accomplishing the same objective with very simple tools.

It is important to understand where the system keeps information about logins so that you can monitor your server for changes that do not reflect your usage.

Authentication, Part 1 - How To View System Users in Linux on Ubuntu

Authentication, Part 2 - How To Restrict Log In Capabilities of Users on Ubuntu

Authentication, Part 3 - How To Monitor System Authentication Logs on Ubuntu

By: Justin Ellingwood

If you’ve enjoyed this tutorial and our broader community, consider checking out our DigitalOcean products which can also help you achieve your development goals.

Learn more here


About the authors
Default avatar
Developer and author at DigitalOcean.

Still looking for an answer?

Was this helpful?
3 Comments

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

wow log has what look like constant, huge numbers of attempts to login by hackers. literally 1000’s per day.

Say, someone manages to break into my server eventually. Can he remove certain parts from the access logs? If so, how do I figure that out and more importantly, protect myself against such malicious file-editing?

Looks like you need to update your href’s to the previous articles to use www.digitalocean.com instead of atlantis.digitalocean.com.