How to View Sudo Usage History in Ubuntu

This article provides a direct method for auditing administrative actions on your Linux machine. It details the specific log files where sudo commands are recorded and demonstrates the terminal commands required to extract this information. By following these steps, you can effectively monitor security and track user activity on your Ubuntu system.

Check the Auth Log

Ubuntu stores sudo usage records in the authentication log. This file is located at /var/log/auth.log. You need superuser privileges to read this file. Use the following command to view the entire log:

sudo cat /var/log/auth.log

Filter Sudo Commands

Viewing the entire log can be overwhelming. To see only sudo-related entries, use the grep command. This filters the text to show lines containing the word “sudo”.

sudo grep "sudo:" /var/log/auth.log

View History for a Specific User

If you need to audit a specific account, combine grep patterns. Replace “username” with the actual account name you are investigating.

sudo grep "sudo:" /var/log/auth.log | grep "username"

Using Journalctl

Modern Ubuntu versions use systemd, which allows you to query logs using journalctl. This method is often faster and offers better filtering options.

sudo journalctl | grep sudo

To see real-time sudo activity as it happens, add the -f flag to follow the log output.

sudo journalctl -f | grep sudo

Understanding the Output

Each log entry typically includes the timestamp, the hostname, the user who executed the command, and the specific command run. Look for lines containing “COMMAND=” to identify the exact action taken. Regularly reviewing these logs helps maintain system security and accountability.