Details about sudo commands executed by all user

Depending on your distro; simply:

$ sudo grep sudo /var/log/secure

or

$ sudo grep sudo /var/log/auth.log

which gives:

Nov 14 09:07:31 vm1 sudo: pam_unix(sudo:auth): authentication failure; logname=gareth uid=1000 euid=0 tty=/dev/pts/19 ruser=gareth rhost=  user=gareth
Nov 14 09:07:37 vm1 sudo: gareth : TTY=pts/19 ; PWD=/home/gareth ; USER=root ; COMMAND=/bin/yum update
Nov 14 09:07:53 vm1 sudo: gareth : TTY=pts/19 ; PWD=/home/gareth ; USER=root ; COMMAND=/bin/grep sudo /var/log/secure

The user running the command is after the sudo: - gareth in this case.

PWD is the directory.

USER is the user that gareth is running as - root in this example.

COMMAND is the command ran.

Therefore, in the example above, gareth used sudo to run yum update and then ran this example. Before that he typed in the incorrect password.

On newer systems:

$ sudo journalctl _COMM=sudo

gives a very similar output.

Tags:

Sudo

Logs