Tutorial

How To Monitor System Authentication Logs on Ubuntu

How To Monitor System Authentication Logs on Ubuntu

How To Monitor System Logins

A fundamental component of authentication management is monitoring the system after you have configured your users.

We will be exploring these concepts on a Ubuntu 22.04 server, but you can follow along on any modern Linux distribution. You can set up a Ubuntu 22.04 server for this tutorial by following our guide to Initial Server Setup on Ubuntu 22.04.

Review Authentication Attempts

Modern Linux systems log all authentication attempts in a discrete file. This is located at /var/log/auth.log. You can view this file using less:

  1. sudo less /var/log/auth.log
Output
May 3 18:20:45 localhost sshd[585]: Server listening on 0.0.0.0 port 22. May 3 18:20:45 localhost sshd[585]: Server listening on :: port 22. May 3 18:23:56 localhost login[673]: pam_unix(login:session): session opened fo r user root by LOGIN(uid=0) May 3 18:23:56 localhost login[714]: ROOT LOGIN on '/dev/tty1' Sep 5 13:49:07 localhost sshd[358]: Received signal 15; terminating. Sep 5 13:49:07 localhost sshd[565]: Server listening on 0.0.0.0 port 22. Sep 5 13:49:07 localhost sshd[565]: Server listening on :: port 22. . . .

When you are finished viewing the file, you can use q to quit less.

How To Use the “last” Command

Usually, you will only be interested in the most recent login attempts. You can see these with the last tool:

  1. last
Output
demoer pts/1 rrcs-72-43-115-1 Thu Sep 5 19:37 still logged in root pts/1 rrcs-72-43-115-1 Thu Sep 5 19:37 - 19:37 (00:00) root pts/0 rrcs-72-43-115-1 Thu Sep 5 19:15 still logged in root pts/0 rrcs-72-43-115-1 Thu Sep 5 18:35 - 18:44 (00:08) root pts/0 rrcs-72-43-115-1 Thu Sep 5 18:20 - 18:20 (00:00) demoer pts/0 rrcs-72-43-115-1 Thu Sep 5 18:19 - 18:19 (00:00)

This provides a formatted version of information saved in another file, /etc/log/wtmp.

Judging from the first and the third line, users are currently logged into the system. The total time spent logged into the system during other, already closed sessions is provided by a set of hyphen-separated values.

How To Use the “lastlog” Command

You can also view the last time each user on the system logged in using the lastlog command.

This information is provided by accessing the /etc/log/lastlog file. It is then sorted according to the entries in the /etc/passwd file:

  1. lastlog
Output
Username Port From Latest root pts/1 rrcs-72-43-115-1 Thu Sep 5 19:37:02 +0000 2013 daemon **Never logged in** bin **Never logged in** sys **Never logged in** sync **Never logged in** games **Never logged in** . . .

You can see the latest login time of every user on the system.

Notice how the system users will almost all have **Never logged in**. Many of these system accounts will not be used to log in directly, so this is normal.

Conclusion

User authentication on Linux is a relatively flexible area of system management. There are many ways of accomplishing the same objective with widely available tools.

It is important to understand where the system keeps information about logins so that you can monitor your server for changes that do not reflect your usage.

Next, you may want to learn how to add and delete system users.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
3 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

wow log has what look like constant, huge numbers of attempts to login by hackers. literally 1000’s per day.

Say, someone manages to break into my server eventually. Can he remove certain parts from the access logs? If so, how do I figure that out and more importantly, protect myself against such malicious file-editing?

Looks like you need to update your href’s to the previous articles to use www.digitalocean.com instead of atlantis.digitalocean.com.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.