Where are sudo incidents reported?
59,689
Solution 1
Nevermind, I just found the answer in the alt-text at xkcd:
Replace root
with your username, in my case ryan
, so the log is found with:
cat /var/spool/mail/ryan
Solution 2
The report is sent as an email to the root
user. Many Linux distributions will automatically setup an alias for that user directing the mail to the first account created during the install process.
Related videos on Youtube
Author by
user1717828
Updated on April 10, 2020Comments
-
user1717828 about 4 years
Attempting something devious on my machine leads to
ryan@debian:~$ sudo EAT_ALL_THE_COOKIES_BEFORE_DINNER [sudo] password for ryan: ryan is not in the sudoers file. This incident will be reported.
Where is this incident reported, and how do I get the log of all the nasty attempted commands?
-
njsg over 11 yearsShouln't it be
root
unless there is some forwarding set? The whole point should be that the email is sent to the administrator. Also, sure, once some forwarding is set, you can cat the spool file, but you can also use some mail client, like mail, nail, or something else that supports reading from the local spool (I'd say that this is usually the case except maybe for GUI clients "imported" from the Windows world). -
dmnc over 9 yearsThere's nothing in
/var/spool/mail
in distributions using systemd (Archlinux in my case). In this case, you can find that report in the journal by usingjournalctl
command. (@shellter - due to closed topic - disagree - I had to post a comment, not another valid answer) -
simonzack over 9 years@dmnc I can confirm this, the
journalctl
command for this issudo journalctl /bin/sudo
. -
CJBS about 9 yearsI know this is tagged 'debian', but I came looking for Ubuntu. So for the benefit of others looking for Ubuntu's output log, I found sudo failures in:
/var/log/auth.log
-
akshayk07 almost 5 yearsMore specifically, to only see sudo failures in Ubuntu use
cat /var/log/auth.log | grep sudoers
. -
Rain over 2 years@CJBS In Ubuntu under WSL I had to run
sudo service rsyslog start
to start the logging service.