How to Configure Sudo to Log to Syslog in Ubuntu

This guide explains how to configure the sudo command to log all activities to syslog on Ubuntu systems. Enabling this feature enhances security auditing by creating a centralized record of privileged commands executed by users. We will cover editing the sudoers file, verifying the configuration, and checking the logs.

Prerequisites

You must have root privileges or access to a user account with sudo permissions to modify system configuration files. Ensure you have terminal access to your Ubuntu machine.

Edit the Sudoers File

Always use the visudo command to edit the sudoers file. This utility checks for syntax errors before saving, preventing you from locking yourself out of sudo access. Open your terminal and run the following command:

sudo visudo

Add Logging Configuration

Scroll to the end of the file or locate the Defaults section. Add the following line to ensure sudo sends logs to the auth facility within syslog:

Defaults syslog=auth

If you also want to log the output of the commands executed, add this line as well:

Defaults log_output

Save and Exit

Save the changes and exit the editor. If you are using nano, press Ctrl + O to write out the file and Ctrl + X to exit. If you are using vim, type :wq and press Enter. visudo will validate the syntax before closing.

Verify the Configuration

Test the configuration by running a simple sudo command. Execute the following in your terminal:

sudo ls /root

Check the Syslog

Open the authentication log file to confirm the entry was recorded. On Ubuntu, sudo logs are typically stored in /var/log/auth.log. Use the following command to view the latest entries:

sudo tail -n 20 /var/log/auth.log

You should see an entry detailing the user, the command executed, and the timestamp. This confirms that sudo is successfully logging to syslog.