UNIX / Linux: Send E-mail When sudo Runs

last updated in Categories , , , , , , , , , , ,

I‘m not told to use the root user to perform activities that do not require it. I’ve configured sudo for myself and for other web developers so that they can restart MySQL or Apache web server. How do I send email when sudo run by one of my user? How do I keep track of user login done via sudo command?

sudo does greatly enhances the security of the system without sharing root password with other users and admins. sudo provides simple auditing and tracking features too.


Configure sudo To Send E-mail

Sudo can be configured to to send e-mail when the sudo command is used. Open /etc/sudoers file, enter:
# vi /etc/sudoers
Configure alter email id:

   mailto "admin@staff.example.com" 
   mail_always on


  • mailto “admin@staff.example.com” : Your email id.
  • mail_always : Send mail to the mailto user every time a users runs sudo. This flag is off by default.

Additional options:

mail_badpassSend mail to the mailto user if the user running sudo does not enter the correct password. This flag is off by default.
mail_no_hostIf set, mail will be sent to the mailto user if the invoking user exists in the sudoers file, but is not allowed to run commands on the current host. This flag is off by default.
mail_no_permsIf set, mail will be sent to the mailto user if the invoking user is allowed to use sudo but the command they are trying is not listed in their sudoers file entry or is explicitly denied. This flag is off by default.
mail_no_userIf set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.

Sudo Logfile

By default, sudo logs vis syslog. You can see sudo log in /var/log/auth.log (Debian / Ubuntu) or /var/log/secure (Redhat and friends). However, you can set path to the sudo log file (not the syslog log file). Setting a path turns on logging to a file; negating this option turns it off. Type the following command to edit the file:
# sudoedit /etc/sudoers
Set path to log file:

   Defaults        !lecture,tty_tickets,!fqdn,!syslog
   Defaults        logfile=/var/log/sudo.log

Save and close the file. To see logs type:
# tail -f /var/log/sudo.log
# egrep -i 'foo' /var/log/sudo.log
# egrep -i 'user1|user2|cmd2' /var/log/sudo.log

Sample Outputs:

Jul  1 12:30:13 : vivek : TTY=pts/3 ; PWD=/home/vivek ; USER=root ; COMMAND=/bin/bash
Jul  1 12:34:02 : vivek : TTY=pts/0 ; PWD=/home/vivek ; USER=root ;
    COMMAND=sudoedit /etc/sudoers


Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

12 comment

  1. Thanks! This is one more step in creating a secure server environment and it keeps me from having to check the log files often.

    1. Im Using Centos Version

      [sysadmin@li406-64 ~]$ cat /etc/redhat-release
      CentOS release 6.4 (Final)

      I’m Using Sudo Version

      [sysadmin@backup-srv ~]$ sudo -V
      Sudo version 1.8.6p3
      Sudoers policy plugin version 1.8.6p3
      Sudoers file grammar version 42
      Sudoers I/O plugin version 1.8.6p3

      tried to setup notification mail for sudo, added this entry in bottom of sudo file using command visudo, But getting syntax error

      Defaults mailto “babin@xxxxxxxxx.com”
      Defaults mailfrom “root@media.xxxxxxxxxxx.com
      Defaults mail_always on
      Defaults mailsub “*** Command run via sudo on %h ***”
      Defaults mail_badpass on
      Defaults badpass_message “Please Provide Correct Password”
      Defaults !lecture,tty_tickets,!fqdn,!syslog
      Defaults logfile=/var/log/sudo.log

      This what the error im keep on getting while saving the sudo

      121 Defaults mailto “babin@xxxxxxxxx.com”
      122 Defaults mailfrom “root@media.xxxxxxxxxxx.com
      123 Defaults mail_always on
      124 Defaults mailsub “*** Command run via sudo on %h ***”
      125 Defaults mail_badpass on
      126 Defaults badpass_message “Please Provide Correct Password”
      127 Defaults !lecture,tty_tickets,!fqdn,!syslog
      128 Defaults logfile=/var/log/sudo.log


      visudo: >>> /etc/sudoers: syntax error near line 121 <<>> /etc/sudoers: syntax error near line 121 <<<
      What now?

      Please guide me how to setup the mail notification for Sudo version 1.8.6p3

  2. I want to configure SUDO password when I use sudo command in terminal than It should be ask for password every time.
    When I use putty and cert key than it is not asked for password.

  3. Vivek: I have the same problem as Rolf. My sudo version is 1.6.9p17

    And this is what happens:
    I am editing /etc/sudoers with visudo. The result of adding 3 lines which you can find below:

    Defaults env_reset
    mailto “admin@staff.example.com”
    mail_always on

    is that I’m getting error message:

    ambrozy@zeus:~$ sudo visudo
    >>> sudoers file: syntax error, line 8 <<>> sudoers file: syntax error, line 10 <<<

    with "Defaults" at the beggining it's working fine:

    Defaults !lecture,tty_tickets,!fqdn,!syslog
    Defaults logfile=/var/log/sudo.log
    Defaults mailto="noc@wired.pl",mail_always
    Defaults mail_badpass, mailsub="** BAD AUTHENICATION: %U %h **"
    Defaults mail_no_user, mailsub="** USER NOT IN SUDOERS: %U %h **"
    Defaults mail_no_perms, mailsub="** SUDO PERMISSION ABUSE: %U %h **"

  4. Be careful while editing sudoers file u wont be able to get access as root again in that case enter single user mode (recovery mode ) and delete line we had added in sudoers file and reboot…i too got error while editing sudoers file

  5. @Sandeep

    That’s because you’re not supposed to edit /etc/sudoers. You’re a human. That file is not for humans. Do not attempt to edit that file. Instead, run the command visudo.

  6. [root@Local~]# cat /etc/sudoers |grep -i mail
    [root@Local ~]#
    But still getting email when user tries to use sudo command.

    Aug 19 13:44:59 : ysn_srv : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/ysn_srv ; USER=root ; COMMAND=/usr/bin/test -f /smarts/test.info

    How to stop these emails ?


    Still, have a question? Get help on our forum!