How to monitor sudo activity in real-time?

QuestionsQuestions4 SkillsProDec, 24 2025
0187

To monitor sudo activity in real-time on your LabEx VM (or any Ubuntu/Debian system), you can use the tail command with the -f (follow) flag.

Run the following command in your terminal:

sudo tail -f /var/log/auth.log | grep sudo

How this works:

  1. sudo: You need root privileges to read the system authentication logs.
  2. tail -f: The -f stands for "follow." It keeps the file open and prints new lines to your screen as they are written to the file in real-time.
  3. /var/log/auth.log: This is the specific file where Linux stores all security-related events, including logins and sudo usage.
  4. | grep sudo: This pipes the output to the grep tool so that you only see lines containing the word "sudo," filtering out other noise (like SSH logins or cron jobs).

Try it out!

  1. Open a second terminal window in your environment.
  2. In the first window, run the monitoring command above.
  3. In the second window, perform a sudo action (like sudo ls).
  4. Watch the first window—you will immediately see a log entry appearing that looks something like this: May 24 10:15:01 labex sudo: labex : TTY=pts/0 ; PWD=/home/labex/project ; USER=root ; COMMAND=/usr/bin/ls

Alternative for modern systems:

If your system uses systemd (which most modern distros do), you can also use journalctl:

sudo journalctl -fu sudo
  • -f: Follow the log.
  • -u sudo: Filter only for the sudo unit/service.

This is a great way to maintain accountability and see exactly what users like joker are doing with their new administrative powers!

0 Comments

no data
Be the first to share your comment!