Home Linux DistributionsCentOS How To Change Default Sudo Log File In Linux
Change Default Sudo Log File In Linux

How To Change Default Sudo Log File In Linux

By sk
194 Views

This guide explains how to change default sudo log file in Linux. By default, all sudo incidents will be logged in /var/log/auth.log file in Debian-based systems like Ubuntu. In RPM-based systems like CentOS and Fedora, the sudo activities are stored in /var/log/secure/ file. In openSUSE, the sudo logs are stored in /var/log/messages file. However, they are not dedicated to sudo logs. If you look into those files, you will notice that there are other kinds of logs, such as cron, ssh, systemd etc., are also stored in them. If you want a setup dedicated file for logging both successful and unsuccessful sudo attempts (as well as errors), follow the steps given below.

Change Default Sudo Log File In Linux

By default sudo will log via syslog, but this can be changed via the "/etc/sudoers" file. First, we will see how to do it in Debian-based systems.

How To Change Default Sudo Log File In Ubuntu

In Ubuntu, the sudo activities are stored in /var/log/auth.log file.

To change or set a dedicated log file for sudo in Ubuntu 20.04, edit "/etc/sudoers" file using command:

$ sudo visudo

Add the following line at the end:

Defaults syslog=local1

Set Sudo Log File Location In Debian, Ubuntu

Press CTRL+X followed by Y to save and exit the file.

Next, edit "/etc/rsyslog.d/50-default.conf" file:

$ sudo nano /etc/rsyslog.d/50-default.conf

Add the following line (line number 8) marked in red color before the "auth,authpriv.*" line.

[...]
local1.*                        /var/log/sudo.log
auth,authpriv.*                 /var/log/auth.log
[...]

How To Change Sudo Log File Location In Debian, Ubuntu

Here, /var/log/sudo.log is the file where all sudo logs are going to be stored. Save and close the file (CTRL+X and Y).

Finally, restart rsyslog service to take effect the changes:

$ sudo systemctl restart rsyslog

From now on, all sudo attempts will be logged in /var/log/sudo.log file. For instance, I am going to run the following command:

$ sudo apt update

Now let me verify if it gets logged in /var/log/sudo.log file:

$ cat /var/log/sudo.log

Sample output:

May 2 12:14:18 ostechnix sudo: sk : TTY=pts/0 ; PWD=/home/sk ; USER=root ; COMMAND=/usr/bin/apt update

See the last line in the above output? The "apt update" command is logged in /var/log/sudo.log file.

How To Change Default Sudo Log File In Debian

Edit "/etc/sudoers" file in Debian using command:

$ sudo visudo

Add the following line at the end:

Defaults syslog=local1

Save and close the file.

Next, edit "/etc/rsyslog.conf" file:

$ sudo nano /etc/rsyslog.conf

Add the following line (line number 61) marked in red color before the "auth,authpriv.*;local1.none" line.

[...]
local1.*                        /var/log/sudo.log
auth,authpriv.*;local1.none     /var/log/auth.log
[...]

Save and close the file by pressing CTRL+X followed by Y.

Restart rsyslog service to take effect the changes:

$ sudo systemctl restart rsyslog

From now on, all sudo attempts will be logged in /var/log/sudo.log file.

How To Change Default Sudo Log File In CentOS, Fedora

The sudo logs are kept in "/var/log/secure" file in RPM-based systems such as CentOS and Fedora.

To  set a dedicated sudo log file in CentOS 8, edit "/etc/sudoers" file using command:

$ sudo visudo

This command will open /etc/sudoers file in Vi editor. Press "i" to enter to insert mode and add the following line at the end:

[...]
Defaults syslog=local1

Press ESC and type :wq to save and close.

Next, edit "/etc/rsyslog.conf" file:

$ sudo nano /etc/rsyslog.conf

Add/modify the following lines (line number 46 and 47):

[...]
*.info;mail.none;authpriv.none;cron.none;local1.none   /var/log/messages
local1.*                /var/log/sudo.log
[...]

Change Sudo Log File Location In CentOS

Press CTRL+X followed by Y to save and close the file.

Restart rsyslog to take effect the changes.

$ sudo systemctl restart rsyslog

From now on, all sudo attempts will be logged in /var/log/sudo.log file.

$ sudo cat /var/log/sudo.log

Sample output:

May 3 17:13:26 centos8 sudo[20191]: ostechnix : TTY=pts/0 ; PWD=/home/ostechnix ; USER=root ; COMMAND=/bin/systemctl restart rsyslog
May 3 17:13:35 centos8 sudo[20202]: ostechnix : TTY=pts/0 ; PWD=/home/ostechnix ; USER=root ; COMMAND=/bin/systemctl status rsyslog
May 3 17:13:51 centos8 sudo[20206]: ostechnix : TTY=pts/0 ; PWD=/home/ostechnix ; USER=root ; COMMAND=/bin/yum update

View sudo log files in CentOS

How To Change Default Sudo Log File In openSUSE

The sudo logs are kept in "/var/log/messages" file in SUSE and openSUSE.

To  set a dedicated sudo log file in openSUSE, edit "/etc/sudoers" file using command:

$ sudo visudo

This command will open /etc/sudoers file in Vi editor. Press "i" to enter to insert mode and add the following line at the end:

[...]
Defaults syslog=local1

Press ESC and type :wq to save and close.

Next, edit "/etc/rsyslog.conf" file:

$ sudo nano /etc/rsyslog.conf

Add/modify the following lines (line number 168, 180):

# Add the following line at line number 168:
*.*;mail.none;news.none;local1.none     -/var/log/messages

# line 180: remove [local1]
local0.*                      -/var/log/localmessages

# Add this line at the end:
local1.*                       -/var/log/sudo.log

Save and close the file. Restart rsyslog to take effect the changes:

$ sudo systemctl restart rsyslog

Suggested read:


Hope this helps.

Thanks for stopping by!

Help us to help you:

Have a Good day!!

You May Also Like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More