How do I check logs for a specific item?
Linode
Linode Staff
Is there any audit log for logging to my server? We lost one application code folder cause something or someone has deleted it and we are trying to investigate what has happened. Our object is not to restore it cause we have already done it, but to obtain the knowledge whether it was deleted by some server process or a human mistake.
1 Reply
jdutton
Linode Staff
If you want to see a user's command history, you can check their logs a couple different ways, but you'll need to know the particular user account name prior to doing so. While logged in as a user with admin privileges, you can search their bash history with the following command, replacing user_name with the user you want to view:
sudo cat /home/user_name/.bash_history
If you want to see their login history, you can check the auth.log file with the following:
sudo cat /var/log/auth.log | grep user_name
There will be some backscroll involved with both of these methods, but it's a good way to get a comprehensive view of a user's history. If you're trying to find a particular item in their history, you should be able to grep for the item name. For example:
sudo cat /home/user_name/.bash_history | grep item_name
Here's a link to a great StackExchange forum that goes into a bit more depth about this:
How to view command history of another user in Linux?
If you want to check any other log files (i.e. cron jobs), most of your system's log files are located in your /var/log directory. This is a great article about how to find common log files via nixCraft:
Linux Log Files Location And How Do I View Logs Files on Linux?
In terms of your question, you should be able to grep to find the log file you're looking for (you can sub tail for cat or other viewing commands as referenced in that article):
sudo cat /var/log/cron.log | grep item_name
Hopefully this points you in the right direction!