How to read sudoers logs

The location of the sudoers log file can vary depending on your specific system and configuration. However, on many Linux distributions, you can find the sudoers log file in the /var/log directory. It’s often named “sudo.log” or “auth.log.” The exact name and location can also be configured in the sudoers configuration file.

Here are some common locations for the sudoers log file on different Linux distributions:

  1. Ubuntu/Debian:
    The sudoers log file is typically located at /var/log/auth.log.
  2. Red Hat/CentOS:
    On Red Hat-based systems, you may find the sudoers log file at /var/log/secure.
  3. Fedora:
    Fedora also uses /var/log/secure for sudo logs.
  4. SUSE:
    On SUSE Linux, the sudoers log file can be found at /var/log/messages.
  5. Arch Linux:
    Arch Linux stores sudo logs in /var/log/auth.log.
  6. FreeBSD:
    On FreeBSD, the sudoers log file is located at /var/log/auth.log.

Please note that the actual log file location can be customized in the /etc/sudoers file using the Defaults directive. If you want to check or change the log file location, you can open the sudoers file using the visudo command:

sudo visudo

Then, look for the Defaults line and ensure it includes the desired log file location. For example:

Defaults        logfile=/var/log/mysudo.log

After making any changes to the sudoers file, make sure to save them and exit the text editor. The log file location you specify in the sudoers file will be where sudo logs its activities.