How To Monitor System Authentication Logs on Ubuntu?

Authentication logs are an essential component of server protection. Every remote login attempt on your server, including the username, date, and timestamp, can be fully listed if you suspect a breach. Each prompt that requests a user password, such as the sudo command, is likewise reported, along with the success or failure of the authentication. An important line of security against data breaches and other vulnerabilities within your system is monitoring. Authentication management monitors the system once you configure the users.

Log in to your AccuWeb.Cloud dashboard, select your environment, navigate to the Elastic VPS section, and click on the Web SSH icon.

Examine the authentication attempts:

In current Linux systems, every authentication attempt is stored in a distinct file. The location is /var/log/auth.log. The command to view this file is as follows.

sudo less auth.log/var/log/auth.log

Use q to quit once you are done viewing the file.

To check authentication logs in real-time, use:

sudo tail -f /var/log/auth.log

To view the entire log file:

sudo cat /var/log/auth.log

Using last command

When it comes to reviewing login attempts, you can review the most recent by using the last command.

The last command provides how and when they logged in and out.

last

Using the “lastlog” Command

The lastlog command can also be used to find out when each user last logged in. The user’s username, port, and most recent login time are displayed. You can get this information by opening /etc/log/lastlog. It is then sorted by entries in the /etc/passwd file:

lastlog

To check failed login attempts:

In Linux, the lastb command shows details about unsuccessful login attempts on a system.

lastb

Conclusion:

By following these steps, you can effectively monitor system authentication logs on your Ubuntu server within the AccuWeb.Cloud environment, enhancing your system’s security and performance.