Score:0

/var/log/auth.log in Ubuntu under WSL

in flag

Where do I find login information when running Ubuntu under Windows Subsystem for Linux (WSL)? I would normally expect it to be in /var/log/auth.log, but I don't see any login attempts there.

Output of my /var/log/auth.log:

Output of my /var/log/auth.log

ru flag
Have you actually *tried* checking that path? Because that's where it normally is on Ubuntu. Might be different with WSL at play though
Y_sgard avatar
in flag
@ThomasWard i tried command sudo less /var/log/auth.log and it didn't give me exactly what I expected to see.Now I will update the question and add a screenshot.
ru flag
which proves this is an XY question, because you're asking specifically about a potential 'solution' for getting unspecified information. What is your *actual* issue you're trying to solve/figure out?
Y_sgard avatar
in flag
@ThomasWard I just need follow the file where logins are logged
ru flag
define "logins" - is this a VM? Or WSL? Straight WSL when executed via the 'bash' function and Ubuntu app in Windows doesn't store a login log. (Just checked on my WSL2 system). If this is WSL then auth.log might not help you, logins likely are at the Windows level (WSL wasn't designed to run independently of a user login on Windows necessarily). So unless you're running an SSH server inside of WSL, and SSHing into the WSL environment, there won't be 'typical' login logs.
Y_sgard avatar
in flag
@ThomasWard yep ,WSL.Do I understand correctly that information about the user name that I entered for the first time when I installed ubuntu is not saved?
ru flag
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/129331/discussion-between-thomas-ward-and-y-sgard).
Score:3
vn flag

There are two reasons you don't see a /var/log/auth.log under WSL:

  • First, WSL doesn't run any services by default, including rsyslog. Without a system logging service, well ... no syslogs! I'm assuming you already have figured this part out since you do have a /var/log/auth.log, though. For others that are reading this, you would need to do a sudo service rsyslog start to start the logging service.

  • Second, as ThomasWard pointed out in the comments and discussion, WSL does not "login" in a traditional sense. Specifically, under Ubuntu, PAM (pluggable authentication modules) is used to authenticate users. And PAM is what logs the authentication information to syslog, typically resulting in the output you expect in /var/log/auth.log.

    But you'll notice that you don't enter a password when starting WSL. This is because WSL's /init process (its PID 1 which is the parent of all other processes) starts your shell as the default user. Passwords aren't that useful in WSL, since it's your Windows user that ultimately determines your access rights to the system. Put another way, even root in WSL can never exceed the permissions of the Windows user.

    Since you're already logged in to Windows, WSL doesn't need the "extra protection" of a WSL user password.

However, as you've seen in your existing /var/log/auth.log, there are things that you can do to trigger PAM, and thus trigger writes to the log. The two most common are su and sudo.

Also note that the /etc/securetty message that you are seeing in the log is due to the pam_securetty module attempting to look for its configuration. Since that's not configured (or needed) under WSL, Ubuntu does not provide that file by default.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.