How to monitor system authentication logs on Ubuntu 20.04?

Overview

Monitoring the system once your users have been configured is a crucial part of authentication management. You can follow along on any current Linux distribution while we explore these ideas on a server running Ubuntu 20.04.

Prerequisites

There are certain prerequisites that need to be met before you begin.

  • Ubuntu version 20.04 or any other Linux equipped system

  • A regular user (non-root) having Sudo privileges

  • Internet connection

Examine the Authentication Attempts

All authentication attempts are recorded by modern Linux systems in a separate file. You can find it at /var/log/auth.log. Use the following command to view this file.

sudo less /var/log/auth.log

Use q to quit once you are done viewing the file.

Using the Command: last

Often, just the most recent login attempts will be of interest to you. They are visible using the last command:

last

This gives access to a formatted version of the information stored in the /etc/log/wtmp file. A list of values separated by hyphens represents the total amount of time users spent logged into the system during other, already closed sessions.

Using the Command: lastlog

You can also use the lastlog command to see when each user last logged into the system. It displays the username, port and the last login time of the user. You can get this information by opening /etc/log/lastlog. It is then sorted by entries in the /etc/passwd file:

lastlog

You can see the last login time of each system user.

Conclusion

It's important to understand where the system stores login information so you can track changes to your server that don't match your usage. User authentication in Linux is a relatively flexible area of ​​system administration. With widely available tools, there are many ways to achieve the same goal.

Last updated