Where Are Sudo Logs Stored in Ubuntu by Default

This article explains the default location of sudo logs in Ubuntu systems. It covers the specific file path where authentication and command execution records are kept. You will also learn how to view these logs using common command-line tools for security auditing and troubleshooting purposes.

In Ubuntu, sudo logs are stored in the /var/log/auth.log file by default. This file records all authentication-related events, including successful and failed sudo commands, SSH logins, and user switching activities. System administrators rely on this log to monitor privilege escalation and maintain security compliance.

To view the sudo logs, you can use the cat, less, or tail commands. Since the file requires root privileges to read, you must prepend sudo to your viewing command. For example, running sudo tail -f /var/log/auth.log allows you to watch log entries in real-time as they occur.

If you want to filter the output to show only sudo-related entries, you can use the grep command. Executing sudo grep "sudo" /var/log/auth.log will display every line containing the word sudo. This makes it easier to isolate specific command executions without scrolling through unrelated authentication data.

On newer versions of Ubuntu that use systemd, you can also query the logs using journalctl. The command journalctl | grep sudo provides similar information by querying the system journal instead of the text file. However, /var/log/auth.log remains the standard persistent storage location for these records in most Ubuntu installations.