How to get information out of the system logfiles on Linux. Showing failed logins.

Posted: July 28, 2015. At: 11:38 AM. This was 2 years ago. Post ID: 8139
Page permalink.
WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters. These cookies expire two weeks after they are set.

There are a few ways to get information out of the /var/log files using the Linux command line. Here are a few examples.

Show the history of apt commands on your Linux box with this command.

[email protected]:~$ grep 'Commandline: ' /var/log/apt/history.log
Commandline: apt-get upgrade
Commandline: apt-get install gnome-alsamixer
Commandline: apt-get install indicator-sound-switcher
Commandline: apt-get upgrade
Commandline: apt-get upgrade
Commandline: apt-get upgrade
Commandline: apt-get upgrade
Commandline: apt-get install unity8
Commandline: apt-get install gnome-common

To view all commands run with sudo on your system, use this command: sudo cat /var/log/sudo.log this will list all commands run with sudo and by which user.

Getting information about password changes and related information from /var/log/auth.log.

[email protected]:~$ sudo cat /var/log/auth.log | grep "password"
Jul 21 21:59:01 darkstar chage[5210]: changed password expiry for libvirt-qemu
Jul 22 18:40:22 darkstar sudo: pam_unix(sudo:auth): auth could not identify password for [steam]
Jul 22 18:40:34 darkstar passwd[1587]: pam_unix(passwd:chauthtok): password changed for steam
Jul 22 18:40:34 darkstar passwd[1587]: gkr-pam: couldn't update the login keyring password: no old password was entered
Jul 28 22:41:03 darkstar usermod[2053]: change user 'netplan' password
Jul 28 22:41:04 darkstar chage[2058]: changed password expiry for netplan
Jul 29 11:19:13 darkstar sshd[4210]: Accepted password for jason from ::1 port 46152 ssh2

Listing all successful SSH logins to my machine.

[email protected]:~$ sudo cat /var/log/auth.log | grep 'sshd.*opened'
Jul 29 11:19:13 darkstar sshd[4210]: pam_unix(sshd:session): session opened for user jason by (uid=0)

Listing all unsuccessful SSH login attempts.

[email protected]:~$ sudo cat /var/log/auth.log | grep 'sshd.*Failed'
Jul 29 11:24:53 darkstar sshd[4290]: Failed password for jason from ::1 port 46196 ssh2
Jul 29 11:25:15 darkstar sshd[4301]: Failed password for jason from ::1 port 46197 ssh2
Jul 29 11:25:21 darkstar sshd[4301]: Failed password for jason from ::1 port 46197 ssh2
Jul 29 11:25:25 darkstar sshd[4301]: Failed password for jason from ::1 port 46197 ssh2

Use the lastb command to read the /var/log/btmp file and return all bad login attempts.

[email protected]:~$ sudo lastb -x -F
jason    ssh:notty    localhost        Wed Jul 29 11:25:25 2015 - Wed Jul 29 11:25:25 2015  (00:00)    
jason    ssh:notty    localhost        Wed Jul 29 11:25:21 2015 - Wed Jul 29 11:25:21 2015  (00:00)    
jason    ssh:notty    localhost        Wed Jul 29 11:25:15 2015 - Wed Jul 29 11:25:15 2015  (00:00)    
jason    ssh:notty    localhost        Wed Jul 29 11:24:53 2015 - Wed Jul 29 11:24:53 2015  (00:00)    
 
btmp begins Wed Jul 29 11:24:53 2015

And the last command shows all successful login attempts to your Linux box.

[email protected]:~$ last | head -n 20
jason    pts/3        localhost        Wed Jul 29 11:19 - 11:19  (00:00)    
jason    pts/2        :0.0             Wed Jul 29 11:17   still logged in   
jason    pts/0        :0.0             Wed Jul 29 10:22   still logged in   
jason    pts/0        :0.0             Wed Jul 29 09:28 - 10:19  (00:51)    
jason    :0           :0               Wed Jul 29 09:27   still logged in   
reboot   system boot  3.16.0-4-amd64   Wed Jul 29 09:27 - 11:36  (02:09)    
jason    pts/0        :0.0             Tue Jul 28 22:39 - 23:38  (00:58)    
jason    :0           :0               Tue Jul 28 22:36 - down   (01:01)    
reboot   system boot  3.16.0-4-amd64   Tue Jul 28 22:35 - 23:38  (01:02)    
jason    pts/1        :0.0             Tue Jul 28 15:22 - 15:52  (00:29)    
jason    :0           :0               Tue Jul 28 14:35 - down   (01:17)    
reboot   system boot  3.16.0-4-amd64   Tue Jul 28 14:35 - 15:53  (01:18)    
jason    pts/0        :0.0             Tue Jul 28 14:27 - 14:31  (00:03)    
jason    :0           :0               Tue Jul 28 14:25 - down   (00:09)    
jason    pts/0        :0               Tue Jul 28 14:23 - 14:24  (00:01)    
jason    :0           :0               Tue Jul 28 14:22 - 14:24  (00:02)    
jason    pts/0        :0.0             Tue Jul 28 13:52 - 14:22  (00:30)    
jason    :0           :0               Tue Jul 28 13:50 - 14:22  (00:31)    
reboot   system boot  3.16.0-4-amd64   Tue Jul 28 13:50 - 14:34  (00:44)    
jason    pts/1        :0.0             Tue Jul 28 13:47 - 13:48  (00:01)

No comments have been made. Use this form to start the conversation :)

Leave a Reply