Details about sudo commands executed by all user
Depending on your distro; simply:
$ sudo grep sudo /var/log/secure
or
$ sudo grep sudo /var/log/auth.log
which gives:
Nov 14 09:07:31 vm1 sudo: pam_unix(sudo:auth): authentication failure; logname=gareth uid=1000 euid=0 tty=/dev/pts/19 ruser=gareth rhost= user=gareth
Nov 14 09:07:37 vm1 sudo: gareth : TTY=pts/19 ; PWD=/home/gareth ; USER=root ; COMMAND=/bin/yum update
Nov 14 09:07:53 vm1 sudo: gareth : TTY=pts/19 ; PWD=/home/gareth ; USER=root ; COMMAND=/bin/grep sudo /var/log/secure
The user running the command is after the sudo:
- gareth
in this case.
PWD
is the directory.
USER
is the user that gareth
is running as - root
in this example.
COMMAND
is the command ran.
Therefore, in the example above, gareth
used sudo
to run yum update
and then ran this example. Before that he typed in the incorrect password.
On newer systems:
$ sudo journalctl _COMM=sudo
gives a very similar output.