148

Attempting something devious on my machine leads to

ryan@debian:~$ sudo EAT_ALL_THE_COOKIES_BEFORE_DINNER
[sudo] password for ryan: 
ryan is not in the sudoers file.  This incident will be reported.

Where is this incident reported, and how do I get the log of all the nasty attempted commands?

user1717828
  • 7,122
  • 8
  • 34
  • 59

2 Answers2

223

Nevermind, I just found the answer in the alt-text at xkcd:

xkcd838

Replace root with your username, in my case ryan, so the log is found with:

cat /var/spool/mail/ryan
Arc676
  • 4,445
  • 3
  • 28
  • 44
user1717828
  • 7,122
  • 8
  • 34
  • 59
  • 8
    Shouln't it be `root` unless there is some forwarding set? The whole point should be that the email is sent to the administrator. Also, sure, once some forwarding is set, you can cat the spool file, but you can also use some mail client, like mail, nail, or something else that supports reading from the local spool (I'd say that this is usually the case except maybe for GUI clients "imported" from the Windows world). – njsg Jan 06 '13 at 11:31
  • 16
    There's nothing in `/var/spool/mail` in distributions using systemd (Archlinux in my case). In this case, you can find that report in the journal by using `journalctl` command. (@shellter - due to closed topic - disagree - I had to post a comment, not another valid answer) – dmnc Oct 02 '14 at 07:18
  • 2
    @dmnc I can confirm this, the `journalctl` command for this is `sudo journalctl /bin/sudo`. – simonzack Oct 22 '14 at 13:28
  • 23
    I know this is tagged 'debian', but I came looking for Ubuntu. So for the benefit of others looking for Ubuntu's output log, I found sudo failures in: `/var/log/auth.log` – CJBS Mar 23 '15 at 19:09
  • 1
    More specifically, to only see sudo failures in Ubuntu use `cat /var/log/auth.log | grep sudoers`. – akshayk07 Aug 05 '19 at 07:14
  • 2
    @CJBS In Ubuntu under WSL I had to run `sudo service rsyslog start` to start the logging service. – Rain Oct 22 '21 at 03:49
41

The report is sent as an email to the root user. Many Linux distributions will automatically setup an alias for that user directing the mail to the first account created during the install process.

qqx
  • 18,947
  • 4
  • 64
  • 68