Linux Auth Log

Authentication and authorization events including SSH, sudo, PAM

Edit this page

Quick Facts

Default Path (Linux)

/var/log/auth.log

Default Format

syslog

JSON Native

Rotation

logrotate

Log Example

Default format: Syslog Format

Example Log Entrylog

Dec 20 14:32:18 webserver01 sshd[1234]: Accepted publickey for admin from 192.168.1.100 port 54321 ssh2: RSA SHA256:abc123...

Structure:

timestamp hostname program[pid]: message

Paths by Platform

Debian / Ubuntu

/var/log/auth.log

RHEL / CentOS

/var/log/secure

Available Formats

Syslog Format

Default

Example:

Dec 20 14:32:18 webserver01 sshd[1234]: Accepted publickey for admin from 192.168.1.100 port 54321 ssh2: RSA SHA256:abc123...

Structure:

timestamp hostname program[pid]: message

Fields Reference

Field	Type	Description	Example
`timestamp`	datetime	When the event occurred	`Dec 20 14:32:18`
`hostname`	string	System hostname	`webserver01`
`program`	string	Service name (sshd, sudo, su, etc.)	`sshd`
`pid`	integer	Process ID	`1234`
`message`	string	Event details	`Accepted publickey for admin from 192.168.1.100 port 54321 ssh2`

Parsing Patterns

Grok Patterns

ssh_accepted:

%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} sshd\[%{POSINT:pid}\]: Accepted %{WORD:auth_method} for %{USER:user} from %{IP:src_ip} port %{POSINT:src_port}

ssh_failed:

%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} sshd\[%{POSINT:pid}\]: Failed %{WORD:auth_method} for %{USER:user} from %{IP:src_ip} port %{POSINT:src_port}

Collector Configurations

logstashruby

1filter {
2  if [program] == "sshd" {
3    grok {
4      match => { "message" => "(?:Accepted|Failed) %{WORD:auth_method} for %{USER:user} from %{IP:src_ip} port %{POSINT:src_port}" }
5    }
6  }
7}

Configuration

Enable Logging

Directive:

auth,authpriv.* /var/log/auth.log

Use Cases

Login monitoring

Track successful and failed logins

program

message

Troubleshooting

Tested On

vOpenSSH 9.6 on Ubuntu 24.04

security_expert - 2025-12-12

Last updated: 2025-12-12 by security_expert

2 contributors245 upvotes

Validated

Community Discussions

Help improve this documentation

Found an error or want to add more examples? Contributions are welcome!

Edit Report Issue