My home was broken into and someone attempted to login to my Qubes environment, but failed (when I logged in the UI said there had been one failed attempt). I’ve been a software engineer for a long time, but I’m new to Qubes/Linux, and I’m needing to examine the auth.log file to determine what time the attempt was made…but I’m not seeing any failed attempt reading through the lines. Where is the auth.log located that I should be examining? The dom0 doesn’t include auth.log but I see one from other areas; is there a specific terminal I should be using? Googling and searching this forum hasn’t helped (yet). The command I’m using is: sudo less /var/log/auth.log
Ob my system, sudo journalctl --reverse _TRANSPORT=audit shows all audit events across multiple reboots (oldest entries are from December on my case).
You could grep for USER_AUTH and further reduce the amount of output using head or read through the interesting lines using less.
That way, you should be able to track every login attempt. Note that in my case, the relevant entries do not contain the keyword login. That might be why you don’t see the relevant parts.
You are looking for something like Aug 04 10:20:36 dom0 audit[12345]: USER_AUTH pid=12345 uid=1000 auid=1000 ses=2 msg='op=PAM:unix_chkpwd acct="alice" exe="/use/sbin/unix_chkpwd" hostname=? addr=? terminal=? res=failed'