Where are unauthorized sudo attempts reported to?
When you attempt to use sudo, and are not allowed, a message says that the attempt will be reported.
Is this only reported in /var/log/auth.log? Is there another place? The reason I ask, is because the log contains so much that it's not a very good way of viewing often.
It is reported in that file in ubuntu. It quite easy to change that. Just add this line in your /etc/sudoers file. Use sudo visudo to edit the file.
Defaults logfile=/var/log/sudo.log
You can change the file name to whatever you think is appropriate.
It is also sent by e-mail to root. If you want to have it sent to your user account instead, you can set an alias in /etc/aliases. In addition, if your system is configured properly to send e-mail to the outside world, you can alias it to any e-mail address. (To read e-mail sent to your local account, you can use, e.g., mutt.)
