View password change logs in Linux
Last updated on: 2020-10-23
Authored by: James Andrade
Logs are a valuable asset when troubleshooting servers and checking for root password changes. Password changes are logged in the following files:
For Ubuntu®/Debian® systems:
/var/log/auth.log
For CentOS®/RHEL® systems:
/var/log/secure
To check for root password changes, look for lines that mention either of the following messages:
password changed for root
Password for root was changed
