This brief guide explains how to change default sudo log file in Linux distributions such as Debian, Ubuntu, CentOS, Fedora and openSUSE.
Table of Contents
Introduction
Why should we change default sudo log file? You might wonder. By default, all sudo incidents will be logged in /var/log/auth.log
file in Debian-based systems like Ubuntu. In RPM-based systems like CentOS and Fedora, the sudo activities are stored in /var/log/secure/
file. In openSUSE, the sudo logs are stored in /var/log/messages
file.
However, they are not dedicated to sudo logs. If you look into those files, you will notice that there are other kinds of logs, such as cron, ssh, systemd etc., are also stored in them. So if want to setup a dedicated file for logging both successful and unsuccessful sudo attempts (as well as errors), follow the steps given below.
Change Default Sudo Log File in Linux
By default sudo will log via syslog, but this can be changed via the "/etc/sudoers
" file. First, we will see how to do it in Debian-based systems.
1. How to Change Default Sudo Log File in Ubuntu
In Ubuntu, the sudo activities are stored in /var/log/auth.log
file.
To change or set a dedicated log file for sudo in Ubuntu 20.04, edit "/etc/sudoers
" file using command:
$ sudo visudo
Add the following line at the end:
Defaults syslog=local1
Press CTRL+X followed by Y to save and exit the file.
Next, edit "/etc/rsyslog.d/50-default.conf
" file:
$ sudo nano /etc/rsyslog.d/50-default.conf
Add the following line (line number 8) marked in red color before the "auth,authpriv.*
" line.
[...]
local1.* /var/log/sudo.log
auth,authpriv.* /var/log/auth.log
[...]
Here, /var/log/sudo.log
is the file where all sudo logs are going to be stored. Save and close the file (CTRL+X and Y).
Finally, restart rsyslog service to take effect the changes:
$ sudo systemctl restart rsyslog
From now on, all sudo attempts will be logged in /var/log/sudo.log
file. For instance, I am going to run the following command:
$ sudo apt update
Now let me verify if it gets logged in /var/log/sudo.log
file:
$ cat /var/log/sudo.log
Sample output:
May 2 12:14:18 ostechnix sudo: sk : TTY=pts/0 ; PWD=/home/sk ; USER=root ; COMMAND=/usr/bin/apt update
See the last line in the above output? The "apt update
" command is logged in /var/log/sudo.log
file.
2. How to Change Default Sudo Log File in Debian
Edit "/etc/sudoers
" file in Debian using command:
$ sudo visudo
Add the following line at the end:
Defaults syslog=local1
Save and close the file.
Next, edit "/etc/rsyslog.conf
" file:
$ sudo nano /etc/rsyslog.conf
Add the following line (line number 61) marked in red color before the "auth,authpriv.*;local1.none
" line.
[...]
local1.* /var/log/sudo.log
auth,authpriv.*;local1.none /var/log/auth.log
[...]
Save and close the file by pressing CTRL+X followed by Y.
Restart rsyslog service to take effect the changes:
$ sudo systemctl restart rsyslog
From now on, all sudo attempts will be logged in /var/log/sudo.log
file.
3. How to Change Default Sudo Log File in CentOS, Fedora
The sudo logs are kept in "/var/log/secure
" file in RPM-based systems such as CentOS and Fedora.
To set a dedicated sudo log file in CentOS 8, edit "/etc/sudoers
" file using command:
$ sudo visudo
This command will open /etc/sudoers file in Vi editor. Press "i" to enter to insert mode and add the following line at the end:
[...] Defaults syslog=local1
Press ESC and type :wq to save and close.
Next, edit "/etc/rsyslog.conf
" file:
$ sudo nano /etc/rsyslog.conf
Add/modify the following lines (line number 46 and 47):
[...] *.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages local1.* /var/log/sudo.log [...]
Press CTRL+X followed by Y to save and close the file.
Restart rsyslog to take effect the changes.
$ sudo systemctl restart rsyslog
From now on, all sudo attempts will be logged in /var/log/sudo.log
file.
$ sudo cat /var/log/sudo.log
Sample output:
May 3 17:13:26 centos8 sudo[20191]: ostechnix : TTY=pts/0 ; PWD=/home/ostechnix ; USER=root ; COMMAND=/bin/systemctl restart rsyslog May 3 17:13:35 centos8 sudo[20202]: ostechnix : TTY=pts/0 ; PWD=/home/ostechnix ; USER=root ; COMMAND=/bin/systemctl status rsyslog May 3 17:13:51 centos8 sudo[20206]: ostechnix : TTY=pts/0 ; PWD=/home/ostechnix ; USER=root ; COMMAND=/bin/yum update
4. How to Change Default Sudo Log File in openSUSE
The sudo logs are kept in "/var/log/messages
" file in SUSE and openSUSE.
To set a dedicated sudo log file in openSUSE, edit "/etc/sudoers
" file using command:
$ sudo visudo
This command will open /etc/sudoers
file in Vi editor. Press "i" to enter to insert mode and add the following line at the end:
[...] Defaults syslog=local1
Press ESC and type :wq to save and close.
Next, edit "/etc/rsyslog.conf
" file:
$ sudo nano /etc/rsyslog.conf
Add/modify the following lines (line number 168, 180):
# Add the following line at line number 168: *.*;mail.none;news.none;local1.none -/var/log/messages # line 180: remove [local1] local0.* -/var/log/localmessages # Add this line at the end: local1.* -/var/log/sudo.log
Save and close the file. Restart rsyslog to take effect the changes:
$ sudo systemctl restart rsyslog
Hope this helps.