Velvet Star Monitor

Standout celebrity highlights with iconic style.

news

Who are incidents really reported to, and how can a sudo user access the reports?

Writer Matthew Barrera

When my non-sudo account tries to run a sudo command:

nonsudo@Hairy14:$ sudo hello

An incident is reported:

[sudo] password for nonsudo:
nonsudo is not in the sudoers file. This incident will be reported.

I'm guessing it's not really Father Christmas, so who is it reported to (or where) and how can I access it?

Incident

(From xkcd, by Randall Munroe)

1

2 Answers

The Title of the image might give us a clue:

He sees you when you're sleeping, he knows when you're awake, he's copied on /var/spool/mail/root, so be good for goodness' sake.

What does /var/spool/mail/root contain? Uhh, for me nothing as a normal user:

cat: /var/spool/mail/root: No such file or directory

And the same with sudo. For me, there is no /var/spool/mail/root

It turns out, Ubuntu is different - by default root's mail goes to /dev/null, or the black hole in your computer.

To find our logs, we need to look in

/var/log/auth.log

And lo and behold, a sudo cat gives us this line:

Jun 25 22:45:07 Hairy14 sudo: nonsudo : user NOT in sudoers ; TTY=pts/21 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/hello

Note that sometimes (e.g. if your account has no password, is disabled) it will simply not let you run the command - but it will still be reported in the same way:

Jun 25 22:44:17 Hairy14 sudo: nonsudo : user NOT in sudoers ; TTY=pts/21 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/hello

Note that there is a lot of other text along with the "naughty" reports. You may need to grep.

3

The journalctl method

One method involves looking through the journalctl output. journalctl /usr/bin/sudo will list all messages related to that specific executable path, and the reported incident will be highlighted in a nice, noticeable red color like so:

journalctl -f /usr/bin/sudo will show only the most recent journal entries, and continuously print new entries as they are appended to the journal. It's only helpful if the reported incident has happened just recently.

GNOME Logs

Another way to find such incidents is to use the default Logs application, which is installed by default on recent Ubuntu releases. A short screencast showcasing how it can be done through GNOME Logs:

  1. open the application;
  2. select "All" from the list of categories on the left-side;
  3. invoke the search bar and
  4. just type in "sudo".

It lacks the highlighting of the journalctl, though.

7

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Similar Journal

View All

How does 3 tick fishing work?

May 2026

Tetra Master: What are the full rules?

May 2026

Do lure modules and incense cause new pokemon to spawn near you, or existing pokemon to be drawn to you?

May 2026

What is the strongest fixed location equipment you can obtain at Level 1?

May 2026