There are a few ways to get information out of the /var/log files using the Linux command line. Here are a few examples.
Show the history of apt commands on your Linux box with this command.
jason@eyjafjallajkull:~$ grep 'Commandline: ' /var/log/apt/history.log Commandline: apt-get upgrade Commandline: apt-get install gnome-alsamixer Commandline: apt-get install indicator-sound-switcher Commandline: apt-get upgrade Commandline: apt-get upgrade Commandline: apt-get upgrade Commandline: apt-get upgrade Commandline: apt-get install unity8 Commandline: apt-get install gnome-common |
To view all commands run with sudo on your system, use this command: sudo cat /var/log/sudo.log
this will list all commands run with sudo and by which user.
Getting information about password changes and related information from /var/log/auth.log.
jason@darkstar:~$ sudo cat /var/log/auth.log | grep "password" Jul 21 21:59:01 darkstar chage[5210]: changed password expiry for libvirt-qemu Jul 22 18:40:22 darkstar sudo: pam_unix(sudo:auth): auth could not identify password for [steam] Jul 22 18:40:34 darkstar passwd[1587]: pam_unix(passwd:chauthtok): password changed for steam Jul 22 18:40:34 darkstar passwd[1587]: gkr-pam: couldn't update the login keyring password: no old password was entered Jul 28 22:41:03 darkstar usermod[2053]: change user 'netplan' password Jul 28 22:41:04 darkstar chage[2058]: changed password expiry for netplan Jul 29 11:19:13 darkstar sshd[4210]: Accepted password for jason from ::1 port 46152 ssh2 |
Listing all successful SSH logins to my machine.
jason@darkstar:~$ sudo cat /var/log/auth.log | grep 'sshd.*opened' Jul 29 11:19:13 darkstar sshd[4210]: pam_unix(sshd:session): session opened for user jason by (uid=0) |
Listing all unsuccessful SSH login attempts.
jason@darkstar:~$ sudo cat /var/log/auth.log | grep 'sshd.*Failed' Jul 29 11:24:53 darkstar sshd[4290]: Failed password for jason from ::1 port 46196 ssh2 Jul 29 11:25:15 darkstar sshd[4301]: Failed password for jason from ::1 port 46197 ssh2 Jul 29 11:25:21 darkstar sshd[4301]: Failed password for jason from ::1 port 46197 ssh2 Jul 29 11:25:25 darkstar sshd[4301]: Failed password for jason from ::1 port 46197 ssh2 |
Use the lastb command to read the /var/log/btmp file and return all bad login attempts.
jason@darkstar:~$ sudo lastb -x -F jason ssh:notty localhost Wed Jul 29 11:25:25 2015 - Wed Jul 29 11:25:25 2015 (00:00) jason ssh:notty localhost Wed Jul 29 11:25:21 2015 - Wed Jul 29 11:25:21 2015 (00:00) jason ssh:notty localhost Wed Jul 29 11:25:15 2015 - Wed Jul 29 11:25:15 2015 (00:00) jason ssh:notty localhost Wed Jul 29 11:24:53 2015 - Wed Jul 29 11:24:53 2015 (00:00) btmp begins Wed Jul 29 11:24:53 2015 |
And the last command shows all successful login attempts to your Linux box.
jason@darkstar:~$ last | head -n 20 jason pts/3 localhost Wed Jul 29 11:19 - 11:19 (00:00) jason pts/2 :0.0 Wed Jul 29 11:17 still logged in jason pts/0 :0.0 Wed Jul 29 10:22 still logged in jason pts/0 :0.0 Wed Jul 29 09:28 - 10:19 (00:51) jason :0 :0 Wed Jul 29 09:27 still logged in reboot system boot 3.16.0-4-amd64 Wed Jul 29 09:27 - 11:36 (02:09) jason pts/0 :0.0 Tue Jul 28 22:39 - 23:38 (00:58) jason :0 :0 Tue Jul 28 22:36 - down (01:01) reboot system boot 3.16.0-4-amd64 Tue Jul 28 22:35 - 23:38 (01:02) jason pts/1 :0.0 Tue Jul 28 15:22 - 15:52 (00:29) jason :0 :0 Tue Jul 28 14:35 - down (01:17) reboot system boot 3.16.0-4-amd64 Tue Jul 28 14:35 - 15:53 (01:18) jason pts/0 :0.0 Tue Jul 28 14:27 - 14:31 (00:03) jason :0 :0 Tue Jul 28 14:25 - down (00:09) jason pts/0 :0 Tue Jul 28 14:23 - 14:24 (00:01) jason :0 :0 Tue Jul 28 14:22 - 14:24 (00:02) jason pts/0 :0.0 Tue Jul 28 13:52 - 14:22 (00:30) jason :0 :0 Tue Jul 28 13:50 - 14:22 (00:31) reboot system boot 3.16.0-4-amd64 Tue Jul 28 13:50 - 14:34 (00:44) jason pts/1 :0.0 Tue Jul 28 13:47 - 13:48 (00:01) |