Rsyslog – Save login to a seperate file
Create a new rsyslog config file
sudo vim /etc/rsyslog.d/10-auth.log.confAdd the following text
:msg, contains, ":session" /var/log/rsyslog-auth.log
:msg, contains, ":auth" /var/log/rsyslog-auth.log
:msg, contains, "COMMAND=" /var/log/rsyslog-auth.log
:msg, contains, "session opened for user root by" /var/log/rsyslog-auth.log
:msg, contains, "sudo:session" /var/log/rsyslog-auth.log
auth,authpriv /var/log/auth.log