User Logoff

Linux Ubuntu

Flynn Weeks

Flynn Weeks

February 4, 2022

Linux Ubuntu

Enabled by default

Service: syslog

Log type: auth.log

A users log off can indicate the end of an attack or potential system restarts that may have occurred. This can conclude a timeline or give a bit more insight to a users activity.

Linux logs call a user logoff event session closed. There may be logs from a “user” called GDM; this is just the graphical login screen and will show up if a user switched accounts graphically. In order to view this event from the Logs application, select the Security tab and search for closed. Due to the restrictions of the GNOME Logs app, there will likely be several logs that contain “closed”, just look for the ones that say session closed for user.

To view this log through the command line, launch the terminal and enter the commandgrep "session closed" /var/log/auth.log.

View Logs
grep "session closed" /var/log/auth.log
Check Logging Status
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Disable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Enable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Language: bash
View Log Pile