UNIX for Dummies Questions & Answers

Which file logs accesses to superuser? I know sulog does it on some systems.
Thanks.

Which operating system are you using?

I found all of our systems to use an "sulog" file:

AIX 4.3.3 = /usr/adm/sulog
AIX 5.1 = /usr/adm/sulog
HP-UX = /usr/adm/sulog
PTX = /usr/adm/sulog
and
/usr/adm/ktlog/`date +%Y`/`date +%m`/`date +%d`

The second entry for the PTX OS will only log the changes to root, not other users.

You didn't mention what "flavor" of UNIX.
Different UNIX systems utilize log files in different locations and with different names.
The log file structure on Solaris 7 is...

All successful and unsuccessful su attempts are
logged to /var/adm/sulog. Keeping track of who is
using the su command specifically who is
attempting to su to root is critical for
successful security monitoring.

To log failed login in attempts Solaris uses
/var/adm/loginlog. This file must be created
manually be owned by root and group sys, and must
have the permissions of 600. Log entries will be
created after five failed login attempts by
default.

The last command monitors who is logged into your
systems, and when, and from where. It's
information is logged to the /var/adm/wtmpx file.
This file is stored in binary format and the last
command must be used to read the file.

System events including software and hardware.
Events are logged into the /var/adm/messages file.
These include hardware errors, Operating System
errors, and security related messages. These
messages could be generated from successful and
failed logins, connections from TCP-Wrappers, su
attempts, and from sshd.

The system is Red Hat Linux 7.1.
Thanks.

You should see a file called
/var/log/secure

In it you will find entries like...
Mar 15 13:08:24 myhost PAM_pwdb[13235]: (su) session opened for user root by jsmith(uid=0)