Where are unauthorized sudo attempts reported to?

Where are unauthorized sudo attempts reported to?

When you attempt to use sudo, and are not allowed, a message says that the attempt will be reported.

Is this only reported in /var/log/auth.log? Is there another place? The reason I ask, is because the log contains so much that it's not a very good way of viewing often.


It is reported in that file in ubuntu. It quite easy to change that. Just add this line in your /etc/sudoers file. Use sudo visudo to edit the file.

Defaults    logfile=/var/log/sudo.log 

You can change the file name to whatever you think is appropriate.


It is also sent by e-mail to root. If you want to have it sent to your user account instead, you can set an alias in /etc/aliases. In addition, if your system is configured properly to send e-mail to the outside world, you can alias it to any e-mail address. (To read e-mail sent to your local account, you can use, e.g., mutt.)