CompTIA Linux+ (XK0-004) — Question 25

A systems administrator has set up third-party log aggregation agents across several cloud instances. The systems administrator wants to create a dashboard of failed SSH attempts and the usernames used.
Which of the following files should be watched by the agents?

Answer options

• A. /var/log/audit/audit.log
• B. /var/log/kern.log
• C. /var/log/monitor
• D. /etc/rsyslog.conf

Correct answer: A

Explanation

The correct file to monitor for failed SSH attempts and associated usernames is /var/log/audit/audit.log, as it captures detailed audit records including authentication failures. The other options either do not log SSH attempts (like /var/log/kern.log and /var/log/monitor) or are configuration files (like /etc/rsyslog.conf) that do not contain the actual event logs.