Authentication logs provide the most direct record of who tried to sign in, where the attempt came from, and whether it succeeded. Quick review of these events helps spot brute-force activity, suspicious privilege escalation, and unexpected account use before bigger damage lands.
Most authentication events originate from sshd and sudo, with allow/deny decisions made by PAM and recorded through syslog or the systemd journal. On Ubuntu and Debian, these events commonly land in /var/log/auth.log, while RHEL-family systems typically use /var/log/secure.
Log rotation moves older entries into numbered files and compressed .gz archives, so incident timelines often span multiple files. Authentication logs can include usernames, source addresses, and executed commands, so treat copies as sensitive and avoid editing originals during investigations.
Related: How to investigate a Linux intrusion
Related: How to check user login history in Linux
$ sudo ls -1 /var/log/auth.log /var/log/secure 2>/dev/null /var/log/auth.log
On RHEL-family systems, /var/log/secure is usually present instead of /var/log/auth.log.
$ sudo tail --lines 20 /var/log/auth.log 2026-01-11T13:44:14.475365+00:00 host sshd[1442]: Failed password for user from ::1 port 42230 ssh2 2026-01-11T13:44:41.248367+00:00 host sshd[1465]: Accepted password for user from ::1 port 38058 ssh2 2026-01-11T13:44:41.249100+00:00 host sshd[1465]: pam_unix(sshd:session): session opened for user user(uid=1001) by user(uid=0) 2026-01-11T13:44:41.252503+00:00 host systemd-logind[175]: New session 2 of user user. 2026-01-11T13:44:41.324221+00:00 host sshd[1481]: Received disconnect from ::1 port 38058:11: disconnected by user 2026-01-11T13:44:52.917893+00:00 host sudo: user : PWD=/ ; USER=root ; COMMAND=/usr/bin/id 2026-01-11T13:44:52.918709+00:00 host sudo: pam_unix(sudo:session): session closed for user root 2026-01-11T13:44:52.919161+00:00 host sudo: pam_unix(sudo:session): session closed for user user
On journal-only hosts, query the systemd journal with sudo journalctl --unit ssh --since "today" --no-pager (or --unit sshd on RHEL).
$ sudo grep --extended-regexp 'sshd.*(Accepted|Failed password|Invalid user)' /var/log/auth.log | tail --lines 20 2026-01-11T13:43:24.918922+00:00 host sshd[1384]: Failed password for user from ::1 port 34806 ssh2 2026-01-11T13:44:14.475365+00:00 host sshd[1442]: Failed password for user from ::1 port 42230 ssh2 2026-01-11T13:44:41.248367+00:00 host sshd[1465]: Accepted password for user from ::1 port 38058 ssh2
Summarize repeated failures by source address with sudo grep --fixed-strings \"Failed password\" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | head.
$ sudo grep --fixed-strings "sudo:" /var/log/auth.log | tail --lines 20 2026-01-11T13:44:52.917893+00:00 host sudo: user : PWD=/ ; USER=root ; COMMAND=/usr/bin/id 2026-01-11T13:44:52.918709+00:00 host sudo: pam_unix(sudo:session): session closed for user root 2026-01-11T13:44:52.919161+00:00 host sudo: pam_unix(sudo:session): session closed for user user
sudo command lines may include sensitive arguments (tokens, passwords, URLs); redact before sharing excerpts.
$ sudo zgrep --no-filename --extended-regexp 'sshd|sudo:' /var/log/auth.log* | tail --lines 20 2026-01-11T13:44:14.475365+00:00 host sshd[1442]: Failed password for user from ::1 port 42230 ssh2 2026-01-11T13:44:41.248367+00:00 host sshd[1465]: Accepted password for user from ::1 port 38058 ssh2 2026-01-11T13:44:52.917893+00:00 host sudo: user : PWD=/ ; USER=root ; COMMAND=/usr/bin/id
Rotated files commonly appear as /var/log/auth.log.1 and compressed archives like /var/log/auth.log.2.gz.
$ sudo tail --follow --lines 0 /var/log/auth.log ##### snipped #####
Stop following with Ctrl+C.