How to Monitor System Authentication Logs on Ubuntu

Being the system administrator one should be able to authenticate logs and monitor users and groups activities.  you will learn more about the basic concepts behind user management, monitoring and authentication logging.


Monitoring System Logins


After the server is setup and all the users are configured one should need to have a monitoring component to take care of system authentication. Most Linux distributions will have a file known as auth.log which logs all authentication attempts. You can find it at /var/log/auth.log.


sudo  less /var/log/auth.log

Jun 5 06:45:05 ns2 CRON[7808]: pam_unix(cron:session): session closed for user www-data
Jun 5 06:45:05 ns2 CRON[7809]: pam_unix(cron:session): session closed for user munin
Jun 5 06:45:20 ns2 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
Jun 5 06:45:20 ns2 pkexec[7836]: raj: Executing command [USER=root] [TTY=unknown] [CWD=/home/raj] [COMMAND=/usr/lib/update-notifier/package-system-locked]
Jun 5 06:47:01 ns2 CRON[7902]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 5 06:47:02 ns2 CRON[7902]: pam_unix(cron:session): session closed for user root
Jun 5 06:48:11 ns2 compiz: gkr-pam: unlocked login keyring
Jun 5 06:50:01 ns2 CRON[7935]: pam_unix(cron:session): session opened for user www-data by (uid=0


Making use of the ‘last’ Command


Practically,  to monitor the  most recent login attempts. you can use ‘last’ tool.


raj pts/0 :0 Wed Jun 1 14:33 - 19:04 (04:30) 
raj :0 :0 Wed Jun 1 14:30 - down (04:34) 
reboot system boot 3.13.0-85-generi Wed Jun 1 14:30 - 19:04 (04:34) 
raj pts/9 :0 Wed Jun 1 12:57 - 12:57 (00:00) 
raj pts/4 :0 Wed Jun 1 12:56 - 12:59 (00:02)

As you can see, the result almost looks like a formatted version of /etc/log/wtmp. You can make out if a particular user is still logged in or you can get the previous login timestamp and duration of any user.


Making use of the ‘lastlog’ Command


To check the last login time for each user you can use ‘lastlog’ command. The file /etc/log/lastlog will have all the information on last logins. This data will be sorted against the data in /etc/passwd file.



Username         Port     From             Latest
raj             pts/1    rrcs-72-43-115-1 Thu jun  1 19:37:02 +0000 2013
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
sync                                       **Never logged in**
games                                      **Never logged in**
. . .

From the output, you will be able to get the last login time of every user. System users doesn’t have authentication set up. Hence their data will show ‘Never logged in’.

We have covered only basics tools to track the logs of users authentication however Linux distributions have many ways of system authentication tracking.

KB Admin has written 46 articles