How to Check Sudo History in Linux

Sudo History 00 Featured Image

When sharing your computer with others, and you’ve granted them sudo access, it’s prudent to monitor how they’re using it. Thankfully, it’s easy to check out sudo history. Let’s see how.

The Authentication Log

Plenty of Linux services keep logs to help in troubleshooting problems. Thankfully, among other things, it also keeps a detailed list of precisely the information we seek in this article. In this list, you can check out who and when issued which command using sudo. To find this information, if you’re using a distribution based on Debian or Ubuntu, enter the following into your favorite terminal:

sudo nano /var/log/auth.log
Sudo History 01 Auth Log Command

In other distributions the location may vary. This information could be at “/var/log/secure” or “/var/log/audit/audit.log.” You can find this log file’s location by checking the sudoer’s file. This, too, may be found in a different spot depending on the distribution. Usually, you’ll find it at “/etc/sudoers.” Open it with your favorite text editor and search for the logfile entry. Its value is where the file we’re seeking lies, so, remix the command above to check yours instead.

Making Sense of Chaos

The log file will contain a ton of entries that probably aren’t of interest. You could scroll and scroll through it or use your text editor’s find function to locate every use of sudo.

Sudo History 02 Auth Log Contents

It’s better, though, if you use grep instead. This way, you can filter the log’s contents based on a simple query. To find all sudo entries in it, use:

sudo grep sudo /var/log/auth.log

Remember to update the log’s path to the correct one for your distribution.

Sudo History 03 Auth Log Grep

This command will display the results directly in your terminal.

Sudo History 04 Auth Log Grep Contents

If you prefer to have them in file format, add a redirect after the command:

sudo grep sudo /var/log/auth.log > sudolist.txt

When you check it out, you’ll find a series of entries that contain the date, time, computer name, and command used.

Normal Bash

If you’re just looking for all commands typed in the terminal, you can check out the “.bash_history” file located in the Home folder. You could, for example, enter the following in a terminal:

sudo nano /home/USERNAME/.bash_history

This will show you all the commands you (or other users) run in the terminal.

Journalctl

With that, another way of looking at what sudo did is by using systemd’s journalctl. In that, this is a system logging program that comes with every Linux distribution that uses systemd.

Sudo History 05 Systemd Sample

These include not only Debian and Ubuntu but also other popular distributions such as Arch Linux and Fedora. As such, journalctl can be a helpful utility if you are already constantly switching between systemd-based Linux distributions.

Knowing that, using journalctl to look at the sudo logs is incredibly easy. First, you need to log in to either the root user or an account with superuser privileges.

Sudo History 06 Group Membership

Run the following command to view all of the logs for the sudo program:

sudo journalctl -e /usr/bin/sudo

Doing this will, in turn, tell the journalctl program to look at the sudo program, search for all of the journal entries and then print all of the logs that mention sudo. From there, journalctl will pipe all of that information to the system pager where you can easily scroll through the whole history of sudo-related logs.

Sudo History 07 Journalctl Contents

From here, journalctl will then highlight all of the instances that a user invoked a sudo command. As discussed above, this can be helpful if you are trying to fix a multi-user system and you want to know who ran privileged commands when.

Sudo History 08 Journalctl Error Highlight

GUI-specific Programs

Knowing all of that, it is also possible to read your system’s sudo logs through a dedicated interface that came with your desktop environment. Doing it this way reduces the amount of complexity and commands that you need to learn in order to monitor your system.

One important thing to note is that these programs will always be included in a basic installation of a desktop environment. However, Linux distributions often create custom builds that do not contain these smaller utilities. As such, you will need to first check whether these tools are already installed in your system.

GNOME Log

The GNOME Log utility is the default graphical system logger for distributions that use the GNOME desktop environment. These include Ubuntu 21.10, 22.04 as well as Fedora 36.

Sudo History 09 Gnome Desktop

In order to start using the program, you will need to first open the Application Menu. From there, you can then type “Logs” to search for the GNOME Log Utility.

Sudo History 10 Logs Search

Once open, the program will present a number of tabs where you can check the log for a particular aspect of your system. In order to check for your sudo logs you will need to click “Security”.

Sudo History 11 Gnome Logs Main Window

This will, in turn, print all of the latest security information for your machine. This includes all of the processes that ran with root privileges regardless if it is using sudo or not. From here, you can then press the Magnifying Glass icon on the top right corner of the window to initiate a search on all of these log entries.

Sudo History 12 Gnome Logs Search Icon 1

With that, you can type the word “sudo” to tell GNOME Logs that you only want to see the commands and processes that were ran through sudo.

Sudo History 13 Gnome Logs Sudo History

KSystemLog

KSystemLog is the default logging utility for distributions such as Kubuntu 21.10, 22.04 and Manjaro KDE, all of which use the KDE Plasma environment for their desktop. Similar to GNOME Log, it is also a fully-featured program that can provide an extensive view of your machine.

Sudo History 14 Plasma Desktop

With that, using KSystemLog to look at your system’s sudo history is incredibly easy. First, you need to open the Applications Launcher by clicking the Plasma icon on the lower left corner of your screen.

Sudo History 15 Plasma Application Menu

From there, you can then type “KSystemLog” at the launcher’s search bar. This will, in turn, search for the utility and run it as soon as you press Enter.

Sudo History 16 Plasma Ksystemlog Landing

Once done, KSystemLog will immediately display a log for the programs that are currently running in the system. From here, you can then type “sudo” on the Filter bar to only look at all the logs that came from sudo.

Sudo History 17 Plasma Ksystemlog Sudo History

MATE System Log

Lastly, MATE System Log is a minimal GUI log program that comes by default in MATE-based distributions. Unlike the previous GUI loggers, it only provides a simple file browser for all the system logs available in the machine. As such, MATE System Log can look daunting for a beginner to properly use.

Sudo History 18 Mate Desktop

Despite that, using this program to view your sudo history log is relatively straightforward. In order to get started, you need to first open your Application Menu by clicking the Menu button located on your desktop’s upper left corner.

Sudo History 19 Mate Application Menu 1

From there, you can then focus on the Search Bar and type “Log File Viewer”. This will tell MATE to look for the system log program and run it.

Sudo History 20 Log File Viewer Landing

Once done, the MATE System Log program will list all the current logs available in your system. With that, the last thing that you need to do to view your sudo history is to click “auth.log”.

As described above, this is the log file that takes note of all the sudo related commands that ran in your system. In my case, it showed that I ran recently ran a system update on my system through sudo.

Sudo History 21 Log File Viewer Sudo History

Frequently Asked Questions

Is it possible to only show the latest sudo log entries from journalctl?

Yes! It is possible to only show a limited amount of logs from journalctl. This can be especially helpful if you are maintaining a heavily-used machine and you only want to know the last few sudo-related logs. You can run the following command in your terminal:

sudo journalctl --lines=10 -e /usr/bin/sudo

Doing this will tell journalctl that you only want it to display the last 10 sudo-related entries that it logged while it is running.

It is also possible to only display time-specific logs from journalctl. This command will tell journalctl to only print all the sudo-related logs that were committed between yesterday and today:

sudo journalctl --since=yesterday --until=today -e /usr/bin/sudo

I am not using Bash, is it still possible to look at my sudo history?

This will largely depend on the shell that you are currently using. For the most part, however, every system shell should be able to produce a running history of all the commands that you ran in your machine.

For example, the history file for Debian-based systems are often labelled as “.history”. As such, you can open this file instead of the default “.bash_history”

KSystemLog asks and denies my password when I open it, is my copy broken?

By default, KSystemLog will attempt to open itself with elevated privileges. This, in turn, allows it to not only display logs but also manage the processes that are currently running in the system.

Because of that, KSystemLog will always try to run itself as the root user when you open it for the first time. In order to achieve that, however, it first needs to know your root account’s password.

Despite that, it is still possible to use KSystemLog without providing any root privileges. To do that, you can press the “Ignore” button when KSystemLog asks for any elevated privileges.

Image credit: Unsplash

Ramces Red
Ramces Red

Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox