Where is /var/log/messages in clearlinux

I cant find it anywhere, please help

sudo journalctl.

Almost every distro has moved away from traditional syslog and switched to systemd-journald.

2 Likes

I don’t think you need “sudo” for this.

If your regular user isn’t part of the adm or wheel group, you will need sudo.

journalctl -u
On Clear Linux, I need to display messages filtered by unit, particularly sshd.

None of the the following commands return results:
journalctl -u ssh
journalctl -u sshd
journalctl -u sshd.service

On Debian Buster the following DO display messages:
journalctl -u ssh
journalctl -u ssh.service

tail /var/log/auth.log.1

As far as I can see:

Debian systemctl status shows ssh.service as child of system.slice
CGroup: /
|
|
|_system.slice
|
|
|_ssh.service

Clear Linux systemctl status shows ssh.service as child of user.slice
CGroup: /
├─591 bpfilter_umh
├─user.slice
│ └─user-0.slice
│ ├─user@0.service …
│ │ └─init.scope
│ │ ├─26546 /usr/lib/systemd/systemd --user
│ │ └─26547 (sd-pam)
│ └─session-13.scope
│ ├─26533 sshd: root@pts/0
│ ├─26552 -bash
│ ├─26930 systemctl status
│ └─26931 less
├─init.scope
│ └─1 /usr/lib/systemd/systemd
└─system.slice
├─clr_debug_fuse.service

So how exactly do we retrieve a historical list of sshd logins on Clear Linux via journalctl?

For reference, Debian, has both systemd-journald and syslog.

In this case, on Debian we can retrieve ssh service login history with both journalctl and syslog via var/log/auth.log.1

Cannot test, but journalctl _COMM=sshd should work.

spktkpkt :grinning: :grinning: :grinning: :grinning: :grinning: :grinning:

journalctl _COMM=sshd

Indeed, this does work, but why and what is all this extra bits _COMM= means?

Why is so different to every other journalctl?

Where is documentation about this?

What other Distributions have this instead of -u (unit) option?

It isn’t really different and should work on most distributions that use systemd / journalctl :slight_smile:

See man journalctl, there is a hint to systemd.journal-fields(7)

There are a lot more fields, _COMM is command.

1 Like

This is a change in systemd-244 I believe. I do not understand why, but it used to work. For some reason it no longer does. It’s an upstream change, so, in due time other distributions will also see this no longer work.

Systemd guy says he opposite:
No changes in this area have been made upstream (and journalctl -u sshd certainly works here with git master). Seems to be a downstream issue, please file a report against your distro.

Well, sorry, but, I was wrong. There doesn’t seem to be a regression here at all.

I went back as far as release 29510 or so (2+ years) and this behavior was always the case, so, it’s not a regression.

I don’t have a better solution than the _COMM= method, sorry.

1 Like