User Logon

Enabled by default

Service: syslog

Log type: auth.log

A users log in will likely be the first sign of an attack and can indicate suspicious behavior. It can also give an analyst a starting time to create a timeline of events. This log is required in the HIPAA and PCI DSS regulations.

View Logs
grep "session opened" /var/log/auth.log
Check Logging Status
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Disable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Enable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Language: bash
Back to Linux Ubuntu

Linux logs call a user login event session opened. There may be logs from a “user” called GDM; this is just the graphical login screen and will show up if a user switched accounts graphically. In order to view this event from the Logs application, select the Security tab and search for opened.

To view this log through the command line, launch the terminal and enter the command grep "session opened" /var/log/auth.log.