Unexpected logins, repeated SSH failures, and sudo sessions leave records in the authentication log path for a Linux host. Checking those records gives the first evidence for who accessed the system, which source address was involved, and whether a privilege change happened near the time under review.

Most authentication activity flows through PAM and services such as sshd and sudo before systemd-journald, rsyslog, or another logger stores it. Recent events are usually easiest to inspect with journalctl because time and boot filters are built in.

File-backed logs still matter when rotated archives contain the event window. Debian and Ubuntu commonly use /var/log/auth.log, while many Red Hat-family systems use /var/log/secure. Authentication lines can contain usernames, source addresses, target accounts, TTYs, working directories, and exact commands, so mask live identifiers before sharing excerpts outside the team that owns the host.

Related: How to investigate a Linux intrusion
Related: How to check user login history in Linux

Steps to check Linux authentication logs:

  1. Review recent sshd and sudo entries from the current boot in the systemd journal. 
    $ sudo journalctl --boot -t sshd -t sudo --since "today" --output=short-iso --no-pager
2026-06-13T10:12:46+08:00 server01 sudo[2367]:     admin : PWD=/ ; USER=root ; COMMAND=/usr/bin/id
2026-06-13T10:12:46+08:00 server01 sudo[2367]: pam_unix(sudo:session): session opened for user root(uid=0) by admin(uid=1000)
2026-06-13T10:12:46+08:00 server01 sudo[2367]: pam_unix(sudo:session): session closed for user root
2026-06-13T10:12:47+08:00 server01 sshd[2374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.0.113.17  user=admin
2026-06-13T10:12:49+08:00 server01 sshd[2374]: Failed password for admin from 203.0.113.17 port 36080 ssh2
2026-06-13T10:12:51+08:00 server01 sshd[2377]: Accepted publickey for deploy from 198.51.100.24 port 49590 ssh2: ED25519 SHA256:AbCdEfGhIjKlMnOpQrStUvWxYz1234567890abcd
2026-06-13T10:12:52+08:00 server01 sshd[2377]: pam_unix(sshd:session): session opened for user deploy(uid=1001) by (uid=0)

    Repeated -t filters match the same journal field as alternatives, so one query can show both sshd and sudo records.

  2. Read the file-backed auth log when the traditional syslog view is easier to compare with log rotation or forwarding. 
    $ sudo grep --extended-regexp 'sshd|sudo:' /var/log/auth.log
2026-06-13T10:12:46.008553+08:00 server01 sudo:     admin : PWD=/ ; USER=root ; COMMAND=/usr/bin/id
2026-06-13T10:12:46.009088+08:00 server01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by admin(uid=1000)
2026-06-13T10:12:46.010325+08:00 server01 sudo: pam_unix(sudo:session): session closed for user root
2026-06-13T10:12:46.069125+08:00 server01 sshd[2372]: Server listening on 0.0.0.0 port 22.
2026-06-13T10:12:47.208365+08:00 server01 sshd[2374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.0.113.17  user=admin
2026-06-13T10:12:49.436694+08:00 server01 sshd[2374]: Failed password for admin from 203.0.113.17 port 36080 ssh2
2026-06-13T10:12:51.794440+08:00 server01 sshd[2377]: Accepted publickey for deploy from 198.51.100.24 port 49590 ssh2: ED25519 SHA256:AbCdEfGhIjKlMnOpQrStUvWxYz1234567890abcd
2026-06-13T10:12:52.270207+08:00 server01 sshd[2377]: pam_unix(sshd:session): session opened for user deploy(uid=1001) by (uid=0)

    Use /var/log/secure instead of /var/log/auth.log on many Red Hat-family systems.

  3. List the active and rotated auth logs before searching older file-backed history. 
    $ sudo ls -1 /var/log/auth.log*
/var/log/auth.log
/var/log/auth.log.1
/var/log/auth.log.2.gz
/var/log/auth.log.3.gz

    Rotated auth logs commonly end in .1 or .gz, while many Red Hat-family systems expose the same history under /var/log/secure*.

  4. Search current and rotated auth logs when the event is older than the active file. 
    $ sudo zgrep 'sudo:' /var/log/auth.log*
/var/log/auth.log:2026-06-13T10:12:46.008553+08:00 server01 sudo:     admin : PWD=/ ; USER=root ; COMMAND=/usr/bin/id
/var/log/auth.log:2026-06-13T10:12:46.009088+08:00 server01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by admin(uid=1000)
/var/log/auth.log:2026-06-13T10:12:46.010325+08:00 server01 sudo: pam_unix(sudo:session): session closed for user root
/var/log/auth.log.1:2026-06-12T18:41:18.331333+08:00 server01 sudo:     admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/apt update
/var/log/auth.log.1:2026-06-12T18:41:18.338262+08:00 server01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by admin(uid=1000)
/var/log/auth.log.1:2026-06-12T18:41:19.163800+08:00 server01 sudo: pam_unix(sudo:session): session closed for user root
/var/log/auth.log.2.gz:2026-06-11T09:20:31.782113+08:00 server01 sudo:     deploy : TTY=pts/1 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/systemctl restart app.service
/var/log/auth.log.2.gz:2026-06-11T09:20:31.796421+08:00 server01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by deploy(uid=1001)
/var/log/auth.log.2.gz:2026-06-11T09:20:33.102118+08:00 server01 sudo: pam_unix(sudo:session): session closed for user root

    Replace sudo: with a username, source address, or sshd when looking for a different authentication event.

  5. List available boots before opening authentication records from an earlier journal. 
    $ sudo journalctl --list-boots --no-pager
 -2 7816e77dcd044a598b5f47bb7af76970 Fri 2026-06-12 08:03:11 +08 Fri 2026-06-12 18:46:02 +08
 -1 6c81ac93dff643d693ebdc48b5fb3e34 Fri 2026-06-12 18:47:15 +08 Sat 2026-06-13 09:58:04 +08
  0 58c9fa7dd37d4896b561e344dd75ab8e Sat 2026-06-13 10:01:33 +08 Sat 2026-06-13 10:18:27 +08

    Older boots appear only when the journal has retained them. Some systems keep journal data only for the current boot.

  6. Open authentication records from a previous boot when the event happened before the current startup. 
    $ sudo journalctl --boot=-1 -t sshd -t sudo --output=short-iso --no-pager
2026-06-13T09:42:11+08:00 server01 sshd[1842]: Failed password for admin from 203.0.113.17 port 51120 ssh2
2026-06-13T09:42:13+08:00 server01 sshd[1842]: Connection closed by authenticating user admin 203.0.113.17 port 51120 [preauth]
2026-06-13T09:47:06+08:00 server01 sudo[1926]:     admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/journalctl --list-boots --no-pager
2026-06-13T09:47:06+08:00 server01 sudo[1926]: pam_unix(sudo:session): session opened for user root(uid=0) by admin(uid=1000)
2026-06-13T09:47:06+08:00 server01 sudo[1926]: pam_unix(sudo:session): session closed for user root

    The boot offset --boot=-1 means the boot immediately before the current one.

  7. Follow new authentication events live while reproducing a login problem or monitoring an active investigation. 
    $ sudo journalctl --since "now" --follow -t sshd -t sudo --output=short-iso
2026-06-13T10:31:44+08:00 server01 sshd[2448]: Failed password for admin from 203.0.113.17 port 39214 ssh2
2026-06-13T10:31:46+08:00 server01 sudo[2451]:     deploy : TTY=pts/2 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/id

    Stop the live view with Ctrl+C after the test or monitoring window is complete.