/var/log/auth.log Explained

Contains authentication related events

The /var/log/auth.log file is a system log file that records all authentication related events on a Linux server. This includes all attempts to log into the system, whether successful or failed, as well as any changes to user accounts or privileges. The file is a wealth of data for system administrators to monitor and diagnose login, authentication, and user-related issues.

Contents of /var/log/auth.log

The /var/log/auth.log file is a text file with each line representing an event. Each line contains the timestamp of the event, the hostname, the process that logged the event, followed by the message. For instance, a line might look like this:

Apr 12 13:23:45 host123 sshd[4567]: Failed password for root from port 22 ssh2

This line indicates a failed login attempt on April 12 at 13:23:45 for the root user from IP address

Importance of /var/log/auth.log

The /var/log/auth.log file is crucial for system administrators to monitor authentication attempts to the server. It can be used to spot any unauthorized access attempts, repeated failed login attempts (which could indicate a brute force attack), or changes to user accounts that were not authorized or expected. It's also useful for diagnosing login issues, like a user repeatedly failing to log in due to a forgotten password.

Diagnosing Issues with /var/log/auth.log

The /var/log/auth.log file can be used to diagnose various issues. For instance, if a user reports that they are unable to log in, you can use the grep command to search the /var/log/auth.log file for the username and spot any failed login attempts:

grep 'username' /var/log/auth.log

This will output all lines containing 'username', allowing you to see if there are any repeated failed login attempts, which could indicate a wrong password or possible account lockout.

Clearing /var/log/auth.log

It's important to note that the /var/log/auth.log file can become quite large over time. On a busy server, the log can quickly grow to several gigabytes in size. To avoid filling up your filesystem, it's a good practice to regularly clear or rotate your log files. This can be done manually, or by using a log rotation tool such as logrotate.


The /var/log/auth.log file is a key log file on a Linux server that tracks all authentication related events. It's an invaluable resource for diagnosing various authentication and user-related issues, and for monitoring the security of your server. Remember to regularly check and maintain this log file to ensure the smooth and secure operation of your server.

Except where otherwise noted, content on this site is licensed under a CC BY-SA 4.0 license CC BY SA