Ubuntu Login Logs Monitoring Guide: System Security and Authorization Analysis

The foundation of server security is visibility.
You need to know who logged in, when and from where.
With this guide, you will keep your system under constant control.

📌 Technical Summary

This guide examines authentication records on Ubuntu systems.
The aim is to detect unauthorized access early.

Steps followed:

auth.log review
Session history analysis
User based control
Suspicious login filtering
Security assessment

🚀 What Will You Learn in This Guide?

Interpreting auth.log lines
read past sessions with last
user tracking with lastlog
Recognizing brute-force attempts
Watch live logs

🛠️ Requirements

Before you start:

Ubuntu 20.04 or above
SSH access
sudo authority
Basic Linux knowledge

✅ Step 1: Reading the auth.log File

This file holds all authorization records.

This command opens the file with pages.

sudo less /var/log/auth.log

Pay attention to the following lines:

sshd → SSH connections
Accepted password → Successful login
Failed password → Incorrect attempt
pam_unix → Session logs

Press q to exit.

✅ Step 2: Viewing Session History (last)

This command produces regular login report.

last

On output:

Username
IP address
Session duration
Active status

appears.

still logged in indicates the active session.

✅ Step 3: User Based Analysis (lastlog)

This command scans all users.

lastlog

Never logged in is normal for system accounts.

Unexpected logins for root are risky.

✅ Step 4: Filtering Suspicious Attempts

List failed logins.

grep "Failed password" /var/log/auth.log

Examine the root entries.

grep "root" /var/log/auth.log

These filters are effective in attack detection.

✅ Step 5: Live Log Tracking

This command provides instant monitoring.

sudo tail -f /var/log/auth.log

You instantly see suspicious activities.

📊 Recommended Settings for Security

Recommended precautions:

Turn off root SSH
Use SSH key
Install Fail2Ban
Change port
Set a strong password

🧩 Troubleshooting

If the log is not visible:

Check if rsyslog is working
Check disk fullness
Examine file permissions
Check rotation settings

Service status:

systemctl status rsyslog

❓ Frequently Asked Questions

1. What is a wtmp file? It keeps past session records.

2. What happens if auth.log is deleted? Old records are lost. New registrations continue.

3. How to understand a brute-force attack? Successive unsuccessful attempts are seen.

4. Do logs fill the disk? Logrotate cleans automatically.

5. Can I analyze logs automatically? Yes, it is possible with Fail2Ban and SIEM tools.

🎯 Result

With this guide:

You analyzed the entries

You learned the risks

You increased security

You protected the server

You can establish secure, traceable and high-performance servers with GenixNode infrastructure. 🚀

📌 Technical Summary​

🚀 What Will You Learn in This Guide?​

🛠️ Requirements​

✅ Step 1: Reading the auth.log File​

✅ Step 2: Viewing Session History (last)​

✅ Step 3: User Based Analysis (lastlog)​

✅ Step 4: Filtering Suspicious Attempts​

✅ Step 5: Live Log Tracking​

📊 Recommended Settings for Security​

🧩 Troubleshooting​

❓ Frequently Asked Questions​

🎯 Result​