System Authentication Log Monitoring in Linux

Posted by JeremyL on Tue 22 October 2013

Every systems administrator knows the importance of managing users and groups. This means monitoring log in capabilities on all system entities. This guide is going to touch on the basics concepts and help start building an deeper understanding of user management and authentication logging.

Monitor System Logins

Once all your users have been configured on a box you will want to make sure that you are monitoring the system to make sure authentication attempts are valid.

On most Linux distributions you will find a file called auth.log. This is the file where all login attempts and related information will be stored. This file can be quite large, one method to viewing it would be

sudo less /var/log/auth.log
Oct 22 18:38:27 ip-10-252-16-176 su[4058]: pam_unix(su:session): session opened for user root by youruser(uid=0)
Oct 22 18:39:02 ip-10-252-16-176 CRON[4070]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 22 18:39:04 ip-10-252-16-176 CRON[4070]: pam_unix(cron:session): session closed for user root
Oct 22 18:40:01 ip-10-252-16-176 CRON[4077]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Oct 22 18:40:02 ip-10-252-16-176 CRON[4077]: pam_unix(cron:session): session closed for user smmsp
Oct 22 18:45:02 ip-10-252-16-176 CRON[4096]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 22 18:45:02 ip-10-252-16-176 CRON[4096]: pam_unix(cron:session): session closed for user root
Oct 22 18:46:03 ip-10-252-16-176 sudo:     root : TTY=pts/0 ; PWD=/home/youruser ; USER=root ; COMMAND=/usr/bin/less /var/log/auth.log
Oct 22 18:46:03 ip-10-252-16-176 sudo: pam_unix(sudo:session): session opened for user root by youruser(uid=0)
Oct 22 18:46:09 ip-10-252-16-176 sudo: pam_unix(sudo:session): session closed for user root
Using the Command last

Though usually you are only interested in what is actually the current attempts. Luckily there is a tool that does just that.

last
user     pts/0        YourURL.com-p Tue Oct 22 23:47   still logged in   
user     pts/0        YourURL.com-p Tue Oct 22 17:20 - 19:31  (02:11)

The above output was truncated, but as you can see it will show you if someone is still logged in or when they were last logged in and how long they were logged in for. The tool last works by giving you a formated output of the file

/var/log/wtmp
Using the Command lastlog

If you're in need of finding out when the last time the users have logged in you will want to use the tool lastlog. Using the tool will give you output from the log file

/etc/log/lastlog

That gets parsed against the file

/etc/passwd

lastlog
Username         Port     From             Latest
root                                       **Never logged in**
daemon                                     **Never logged in**
bin                                        **Never logged in**
sys                                        **Never logged in**
sync                                       **Never logged in**
games                                      **Never logged in**
man                                        **Never logged in**
nobody                                     **Never logged in**
libuuid                                    **Never logged in**
syslog                                     **Never logged in**
messagebus                                 **Never logged in**
whoopsie                                   **Never logged in**
landscape                                  **Never logged in**
sshd                                       **Never logged in**
youruser           pts/0    YourURL.com-p Tue Oct 22 18:38:09 -0700 2013

Since Linux gives us a relatively flexible ability to monitor user authentications. There are many tools available and this has only touched on some of the basics. The most important thing to learn is where you box will actually store all the information about logins.