Authentication logs provide the most direct record of who tried to sign in, where the attempt came from, and whether it succeeded. Quick review of these events helps spot brute-force activity, suspicious privilege escalation, and unexpected account use before bigger damage lands.
Most authentication events originate from sshd and sudo, with allow/deny decisions made by PAM and recorded through syslog or the systemd journal. On Ubuntu and Debian, these events commonly land in /var/log/auth.log, while RHEL-family systems typically use /var/log/secure.
Log rotation moves older entries into numbered files and compressed .gz archives, so incident timelines often span multiple files. Authentication logs can include usernames, source addresses, and executed commands, so treat copies as sensitive and avoid editing originals during investigations.
Related: How to investigate a Linux intrusion
Related: How to check user login history in Linux
Steps to review authentication logs with log files and grep in Linux:
- Identify the authentication log file on the host.
$ sudo ls -1 /var/log/auth.log /var/log/secure 2>/dev/null /var/log/auth.log
On RHEL-family systems, /var/log/secure is usually present instead of /var/log/auth.log.
- Inspect recent authentication events from the log file.
$ sudo tail --lines 20 /var/log/auth.log 2026-01-11T13:44:14.475365+00:00 host sshd[1442]: Failed password for user from ::1 port 42230 ssh2 2026-01-11T13:44:41.248367+00:00 host sshd[1465]: Accepted password for user from ::1 port 38058 ssh2 2026-01-11T13:44:41.249100+00:00 host sshd[1465]: pam_unix(sshd:session): session opened for user user(uid=1001) by user(uid=0) 2026-01-11T13:44:41.252503+00:00 host systemd-logind[175]: New session 2 of user user. 2026-01-11T13:44:41.324221+00:00 host sshd[1481]: Received disconnect from ::1 port 38058:11: disconnected by user 2026-01-11T13:44:52.917893+00:00 host sudo: user : PWD=/ ; USER=root ; COMMAND=/usr/bin/id 2026-01-11T13:44:52.918709+00:00 host sudo: pam_unix(sudo:session): session closed for user root 2026-01-11T13:44:52.919161+00:00 host sudo: pam_unix(sudo:session): session closed for user user
On journal-only hosts, query the systemd journal with sudo journalctl --unit ssh --since "today" --no-pager (or --unit sshd on RHEL).
- Filter sshd messages to review successful and failed SSH logins.
$ sudo grep --extended-regexp 'sshd.*(Accepted|Failed password|Invalid user)' /var/log/auth.log | tail --lines 20 2026-01-11T13:43:24.918922+00:00 host sshd[1384]: Failed password for user from ::1 port 34806 ssh2 2026-01-11T13:44:14.475365+00:00 host sshd[1442]: Failed password for user from ::1 port 42230 ssh2 2026-01-11T13:44:41.248367+00:00 host sshd[1465]: Accepted password for user from ::1 port 38058 ssh2
Summarize repeated failures by source address with sudo grep --fixed-strings \"Failed password\" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | head.
- Filter sudo messages to review privilege escalation commands.
$ sudo grep --fixed-strings "sudo:" /var/log/auth.log | tail --lines 20 2026-01-11T13:44:52.917893+00:00 host sudo: user : PWD=/ ; USER=root ; COMMAND=/usr/bin/id 2026-01-11T13:44:52.918709+00:00 host sudo: pam_unix(sudo:session): session closed for user root 2026-01-11T13:44:52.919161+00:00 host sudo: pam_unix(sudo:session): session closed for user user
sudo command lines may include sensitive arguments (tokens, passwords, URLs); redact before sharing excerpts.
- Search rotated and compressed authentication logs for older events.
$ sudo zgrep --no-filename --extended-regexp 'sshd|sudo:' /var/log/auth.log* | tail --lines 20 2026-01-11T13:44:14.475365+00:00 host sshd[1442]: Failed password for user from ::1 port 42230 ssh2 2026-01-11T13:44:41.248367+00:00 host sshd[1465]: Accepted password for user from ::1 port 38058 ssh2 2026-01-11T13:44:52.917893+00:00 host sudo: user : PWD=/ ; USER=root ; COMMAND=/usr/bin/id
Rotated files commonly appear as /var/log/auth.log.1 and compressed archives like /var/log/auth.log.2.gz.
- Follow authentication logs live to observe new events as they are written.
$ sudo tail --follow --lines 0 /var/log/auth.log ##### snipped #####
Stop following with Ctrl+C.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
