Comprehensive guide to monitoring user activity and authentication logs on Linux servers. Learn how to track user logins, monitor authentication failures, detect suspicious activity, and set up automated user activity monitoring with Zuzia.app.

Last updated: 2026-02-05

User Activity and Authentication Logs Monitoring Guide

User activity and authentication logs monitoring is essential for maintaining security, detecting unauthorized access, and tracking user behavior. This comprehensive guide covers everything you need to know about monitoring user activity, tracking authentication events, detecting suspicious logins, and setting up automated user monitoring on Linux servers.

For related security topics, see Server Security Events Monitoring and Intrusion Detection. For troubleshooting authentication issues, see User Authentication Failures.

Why User Activity Monitoring Matters

User activity monitoring helps you detect unauthorized access attempts, track user behavior, identify security threats, maintain audit trails, and ensure compliance with security requirements. Without proper user monitoring, unauthorized access can go undetected, security breaches can occur, and compliance violations can result.

Effective user monitoring enables you to:

Detect unauthorized access attempts
Track user login and logout activity
Monitor authentication failures
Identify suspicious user behavior
Maintain comprehensive audit trails
Respond quickly to security incidents

Understanding User Activity and Authentication

Before diving into monitoring methods, it's important to understand user activity and authentication:

Authentication Events

Successful Logins: Valid user authentication
Failed Logins: Invalid authentication attempts
Logout Events: User session terminations
Privilege Escalation: sudo, su, and other privilege changes

User Activity Types

Login Activity: User authentication and session management
Command Execution: Commands run by users
File Access: Files accessed by users
Network Activity: Network connections initiated by users

Method 1: Monitor Authentication Logs

Authentication logs provide detailed information about user authentication:

# View failed login attempts
sudo grep "Failed password" /var/log/auth.log

# View failed SSH login attempts
sudo grep "Failed password" /var/log/auth.log | grep ssh

# Count failed login attempts per user
sudo grep "Failed password" /var/log/auth.log | awk '{print $9}' | sort | uniq -c

# View recent authentication failures
sudo tail -100 /var/log/auth.log | grep -i "fail\|denied\|invalid"

Monitor Successful Logins

# View successful logins
sudo grep "Accepted password" /var/log/auth.log

# View SSH login activity
sudo grep "Accepted" /var/log/auth.log | grep ssh

# View login activity by user
sudo lastlog

# View current logged-in users
who

Track User Sessions

# View active user sessions
who

# View detailed session information
w

# View login history
last

# View failed login attempts
lastb

Method 2: Monitor User Activity

Tracking user activity helps identify suspicious behavior:

View User Command History

# View user command history
history

# View specific user's history
sudo cat /home/username/.bash_history

# View root command history
sudo cat /root/.bash_history

# Search history for specific commands
history | grep "sudo\|su\|rm"

Monitor Current User Activity

# View currently logged-in users
who

# View user activity details
w

# View user processes
ps aux | grep username

# Monitor user file access (requires auditd)
sudo ausearch -ua username

Track Privilege Escalation

# View sudo usage
sudo grep sudo /var/log/auth.log

# View su command usage
sudo grep "su:" /var/log/auth.log

# View privilege escalation attempts
sudo grep "authentication failure" /var/log/auth.log

# View sudo command execution
sudo grep "sudo:" /var/log/auth.log | grep "COMMAND"

Method 3: Monitor Authentication Failures

Detecting authentication failures helps identify attack attempts:

# Count failed attempts by IP
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn

# Count failed attempts by user
sudo grep "Failed password" /var/log/auth.log | awk '{print $9}' | sort | uniq -c | sort -rn

# View failed attempts in last hour
sudo grep "Failed password" /var/log/auth.log | grep "$(date +%b\ %d\ %H)"

# Identify brute force attempts
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | awk '$1 > 10'

Detect Suspicious Activity

# View logins from unusual locations
sudo grep "Accepted" /var/log/auth.log | awk '{print $11}' | sort | uniq

# Check for logins outside business hours
sudo grep "Accepted" /var/log/auth.log | awk '{if ($3 > "22:00" || $3 < "06:00") print}'

# View multiple failed attempts
sudo grep "Failed password" /var/log/auth.log | awk '{print $9, $11}' | sort | uniq -c | sort -rn

Method 4: Monitor User Account Changes

Tracking user account changes helps detect unauthorized modifications:

Check User Account Modifications

# View user account creation
sudo grep "useradd\|new user" /var/log/auth.log

# View user account deletion
sudo grep "userdel\|delete user" /var/log/auth.log

# View password changes
sudo grep "password changed\|passwd" /var/log/auth.log

# View group modifications
sudo grep "groupadd\|groupdel\|groupmod" /var/log/auth.log

Monitor Account Status

# List all user accounts
cat /etc/passwd

# View user account details
id username

# Check account lock status
passwd -S username

# View account expiration
chage -l username

Method 5: Automated User Activity Monitoring with Zuzia.app

While manual user activity checks work for audits, production Linux servers require automated user monitoring that continuously tracks authentication events, detects suspicious activity, and alerts you when unauthorized access occurs.

How Zuzia.app User Monitoring Works

Zuzia.app automatically monitors user activity on your Linux server through scheduled command execution and log analysis. The platform:

Checks authentication logs every few minutes automatically
Monitors failed login attempts and detects brute force attacks
Tracks successful logins and identifies unusual patterns
Detects user account changes and privilege escalation
Sends alerts when suspicious activity is detected
Stores all user activity data historically in the database
Provides AI-powered analysis (full package) to detect patterns
Monitors user activity across multiple servers simultaneously

You'll receive notifications via email, webhook, Slack, or other configured channels when suspicious user activity is detected, allowing you to respond quickly to potential security threats.

Setting Up User Activity Monitoring in Zuzia.app

Add Scheduled Task for Failed Login Monitoring
- Command: sudo grep "Failed password" /var/log/auth.log | tail -20
- Frequency: Every 5 minutes
- Alert when: Failed attempts exceed threshold
Configure Suspicious Activity Detection
- Command: sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | awk '$1 > 10'
- Frequency: Every 10 minutes
- Alert when: Multiple failed attempts from same IP
Set Up Login Monitoring
- Command: sudo grep "Accepted" /var/log/auth.log | tail -10
- Frequency: Every 15 minutes
- Alert when: Logins from unusual locations or times
Monitor User Account Changes
- Command: sudo grep -E "useradd|userdel|passwd" /var/log/auth.log | tail -10
- Frequency: Once daily
- Alert when: Account changes detected

Custom User Monitoring Commands

Add these commands as scheduled tasks for comprehensive user activity monitoring:

# Check failed login attempts
sudo grep "Failed password" /var/log/auth.log | tail -20

# Monitor successful logins
sudo grep "Accepted" /var/log/auth.log | tail -10

# Check for suspicious activity
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | awk '$1 > 10'

# View current logged-in users
who

Best Practices for User Activity Monitoring

1. Monitor User Activity Continuously

Don't wait for security incidents:

Use Zuzia.app for continuous user monitoring
Set up alerts before activity becomes critical
Review user activity logs regularly (daily or weekly)
Monitor authentication events in real-time

2. Set Appropriate Alert Thresholds

Configure alerts based on normal activity:

Warning: 5-10 failed login attempts per hour
Critical: 20+ failed login attempts per hour
Emergency: Successful login from unusual location or time

Adjust thresholds based on your server's normal usage patterns and security requirements.

3. Monitor Multiple Indicators

Don't rely on single indicators:

Combine authentication monitoring with user activity tracking
Correlate login events with command execution
Review account changes alongside authentication events
Use AI analysis (full package) to identify patterns

4. Maintain Audit Trails

Keep comprehensive user activity records:

Store all authentication and activity data historically
Maintain audit trails for compliance
Document security incidents and responses
Review user activity trends over time

5. Respond Quickly to Suspicious Activity

Have response procedures ready:

Define escalation procedures for suspicious activity
Prepare incident response playbooks
Test security response procedures regularly
Document user activity incident responses

Troubleshooting User Activity Issues

Step 1: Investigate Authentication Failures

When authentication failures occur:

Review Authentication Logs:
- Check failed login attempts in /var/log/auth.log
- Identify source IP addresses
- Determine if failures are from legitimate users or attackers
Check User Accounts:
- Verify user account status
- Check for account lockouts
- Review password policies

Step 2: Investigate Suspicious Activity

When suspicious activity is detected:

Review User Activity:
- Check user login history
- Review command execution history
- Analyze file access patterns
Investigate Activity:
- Verify activity source
- Check for unauthorized access
- Review system logs

Step 3: Respond to Security Incidents

When security incidents occur:

Immediate Actions:
- Block source IP addresses if necessary
- Disable compromised accounts
- Review affected systems
Investigation:
- Review all user activity logs
- Check for signs of compromise
- Verify system integrity

FAQ: Common Questions About User Activity Monitoring

How often should I check user activity on my Linux server?

For production servers, continuous automated monitoring is essential. Zuzia.app checks user activity every few minutes automatically, stores historical data, and alerts you when suspicious activity is detected. Manual checks are useful for audits, but automated monitoring ensures you don't miss security incidents.

What user activity should I monitor?

Monitor authentication events (logins, logouts, failures), privilege escalation (sudo, su), user account changes, command execution, and file access. Focus on activities that indicate potential security threats or unauthorized access.

Can Zuzia.app detect brute force attacks?

Yes, Zuzia.app can detect brute force attacks by monitoring failed login attempts, identifying multiple failures from the same IP, tracking failure patterns, and alerting when attack thresholds are exceeded. Use commands that count failed attempts by IP address.

How do I respond to suspicious user activity alerts?

When suspicious activity alerts occur, immediately investigate the source, review user activity logs, check for signs of compromise, block IPs if necessary, disable compromised accounts, and verify system integrity. Document all security incidents for future reference.

Should I monitor user activity on all servers?

Yes, monitor user activity on all production servers. Unauthorized access can occur on any server, and comprehensive monitoring helps detect security threats across your entire infrastructure.

Related guides
Related recipes
Related problems
- User Authentication Failures
- Server Security Events and Intrusion Detection

User Activity and Authentication Logs Monitoring Guide