Apple - Where will the incident with the sudo command be reported to?
The event will be logged in /var/log/secure.log
and a mail will be sent to root (which by default goes to /dev/null
which is Unix speak for it is discarded).
In older versions of OS X (through 10.6 or maybe 10.7), the disallowed sudo attempt would be logged in
/var/log/secure.log
; in more recent versions it's recorded in the ASL (Apple System Log) database, in/var/log/asl/*
. You can read this with theConsole.app
utility (selectALL MESSAGES
in the sidebar, then if you can't find them use the search field in the upper right to search forsudo
). You can also use the command-linesyslog
command to query the database (syslog -k Facility authpriv -k Sender sudo
should do it). Note that with either Console.app orsyslog
, the entries will only be visible if you are running as an admin or root.
Source