Authentication logs record accepted logins, failed sign-in attempts, and privilege escalation events, which makes them one of the fastest places to confirm who accessed a Linux host and whether that access was expected.
Most authentication activity flows through PAM and services such as sshd and sudo before it is handed to the system logger. On current Ubuntu systems, the same records are available in both the systemd journal and the file-backed /var/log/auth.log file, so recent checks and older history can be read from either surface.
Ubuntu 24.04 LTS is a practical primary flow because it exposes both journalctl and /var/log/auth.log by default. On many RHEL-family systems, the comparable file is /var/log/secure instead, and hosts without persistent journald storage may not retain older boots. Authentication records commonly include usernames, source addresses, and command lines, so copied excerpts should be treated as sensitive.
Related: How to investigate a Linux intrusion
Related: How to check user login history in Linux
Steps to check Linux authentication logs:
- Review recent authentication entries from the current boot in the systemd journal.
$ sudo journalctl -t sshd -t sudo --since "today" --output=short-iso --no-pager 2026-04-14T12:12:46+08:00 host sudo[2367]: user : PWD=/ ; USER=root ; COMMAND=/usr/bin/id 2026-04-14T12:12:46+08:00 host sudo[2367]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000) 2026-04-14T12:12:46+08:00 host sudo[2367]: pam_unix(sudo:session): session closed for user root 2026-04-14T12:12:46+08:00 host sshd[2374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=user 2026-04-14T12:12:48+08:00 host sshd[2374]: Failed password for user from 127.0.0.1 port 36080 ssh2 2026-04-14T12:12:48+08:00 host sshd[2377]: Accepted password for user from 127.0.0.1 port 49590 ssh2 2026-04-14T12:12:48+08:00 host sshd[2377]: pam_unix(sshd:session): session opened for user user(uid=1000) by user(uid=0) 2026-04-14T12:12:50+08:00 host sshd[2377]: pam_unix(sshd:session): session closed for user user
Repeated -t filters match the syslog identifier, so one query can combine both sshd and sudo records.
- Read the same authentication records from the file-backed auth log when the traditional syslog view is easier to scan.
$ sudo grep --extended-regexp 'sshd|sudo:' /var/log/auth.log 2026-04-14T12:12:46.008553+08:00 host sudo: user : PWD=/ ; USER=root ; COMMAND=/usr/bin/id 2026-04-14T12:12:46.009088+08:00 host sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000) 2026-04-14T12:12:46.010325+08:00 host sudo: pam_unix(sudo:session): session closed for user root 2026-04-14T12:12:46.069125+08:00 host sshd[2372]: Server listening on 0.0.0.0 port 22. 2026-04-14T12:12:46.208365+08:00 host sshd[2374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=user 2026-04-14T12:12:48.436694+08:00 host sshd[2374]: Failed password for user from 127.0.0.1 port 36080 ssh2 2026-04-14T12:12:48.794440+08:00 host sshd[2377]: Accepted password for user from 127.0.0.1 port 49590 ssh2 2026-04-14T12:12:50.270207+08:00 host sshd[2377]: pam_unix(sshd:session): session closed for user user
Use /var/log/secure instead of /var/log/auth.log on many RHEL-family systems.
- List the active and rotated auth logs before searching older file-backed history.
$ sudo ls -1 /var/log/auth.log* /var/log/auth.log /var/log/auth.log.1 /var/log/auth.log.2.gz /var/log/auth.log.3.gz /var/log/auth.log.4.gz
Rotated auth logs commonly end in .1 or .gz, while many RHEL-family systems expose the same history under /var/log/secure*.
- Search current and rotated auth logs when the event is older than the active file.
$ sudo zgrep 'sudo:' /var/log/auth.log* | tail -n 6 /var/log/auth.log.4.gz:2025-08-24T07:52:27.931333+08:00 host sudo: pam_unix(sudo:session): session opened for user root(uid=0) by user(uid=1000) /var/log/auth.log.4.gz:2025-08-24T07:52:28.158262+08:00 host sudo: pam_unix(sudo:session): session closed for user root /var/log/auth.log.4.gz:2025-08-24T07:52:28.163530+08:00 host sudo: user : TTY=tty1 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/apt autoremove --assume-yes /var/log/auth.log.4.gz:2025-08-24T07:52:28.163800+08:00 host sudo: pam_unix(sudo:session): session opened for user root(uid=0) by user(uid=1000) /var/log/auth.log.4.gz:2025-08-24T07:52:37.645333+08:00 host sudo: user : TTY=tty1 ; PWD=/home/user ; USER=root ; COMMAND=/usr/sbin/poweroff /var/log/auth.log.4.gz:2025-08-24T07:52:37.656485+08:00 host sudo: pam_unix(sudo:session): session closed for user root
Replace sudo: with a username, source address, or sshd when looking for a different authentication event.
- List available boots before opening authentication records from an earlier journal.
$ sudo journalctl --list-boots --no-pager ##### snipped ##### -4 98415c38f9814d51bdabb3041f45b61a Thu 2026-01-08 19:27:20 +08 Thu 2026-01-08 19:28:31 +08 -3 7724fd1233f74a689cc6823eaadbb98a Thu 2026-01-08 19:28:40 +08 Thu 2026-01-08 19:33:29 +08 -2 672d22a4ded243aa924a3fed91ad88fa Thu 2026-01-15 19:14:27 +08 Thu 2026-01-15 19:15:27 +08 -1 4be311dc71b541c1b9a2b25de3f7b21d Thu 2026-01-15 19:15:36 +08 Thu 2026-01-15 19:17:13 +08 0 19de730bd48b4c0aaaec2a4467b14cc7 Tue 2026-04-14 12:09:21 +08 Tue 2026-04-14 12:14:51 +08
Open a specific earlier boot with sudo journalctl --boot=-1 -t sshd -t sudo --output=short-iso --no-pager.
- Follow new authentication events live while reproducing a login problem or monitoring an active investigation.
$ sudo journalctl --follow -t sshd -t sudo --output=short-iso ##### snipped #####
On file-backed systems, use sudo tail --follow /var/log/auth.log or sudo tail --follow /var/log/secure, and stop the live view with Ctrl+C.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
