I cant find it anywhere, please help
sudo journalctl
.
Almost every distro has moved away from traditional syslog
and switched to systemd-journald
.
I don’t think you need “sudo” for this.
If your regular user isn’t part of the adm
or wheel
group, you will need sudo
.
journalctl -u
On Clear Linux, I need to display messages filtered by unit, particularly sshd.
None of the the following commands return results:
journalctl -u ssh
journalctl -u sshd
journalctl -u sshd.service
On Debian Buster the following DO display messages:
journalctl -u ssh
journalctl -u ssh.service
tail /var/log/auth.log.1
As far as I can see:
Debian systemctl status
shows ssh.service
as child of system.slice
CGroup: /
|
|
|_system.slice
|
|
|_ssh.service
Clear Linux systemctl status
shows ssh.service
as child of user.slice
CGroup: /
├─591 bpfilter_umh
├─user.slice
│ └─user-0.slice
│ ├─user@0.service …
│ │ └─init.scope
│ │ ├─26546 /usr/lib/systemd/systemd --user
│ │ └─26547 (sd-pam)
│ └─session-13.scope
│ ├─26533 sshd: root@pts/0
│ ├─26552 -bash
│ ├─26930 systemctl status
│ └─26931 less
├─init.scope
│ └─1 /usr/lib/systemd/systemd
└─system.slice
├─clr_debug_fuse.service
So how exactly do we retrieve a historical list of sshd
logins on Clear Linux via journalctl
?
For reference, Debian, has both systemd-journald
and syslog
.
In this case, on Debian we can retrieve ssh
service login history with both journalctl
and syslog via var/log/auth.log.1
Cannot test, but journalctl _COMM=sshd
should work.
spktkpkt
journalctl _COMM=sshd
Indeed, this does work, but why and what is all this extra bits _COMM=
means?
Why is so different to every other journalctl?
Where is documentation about this?
What other Distributions have this instead of -u
(unit) option?
It isn’t really different and should work on most distributions that use systemd / journalctl
See man journalctl
, there is a hint to systemd.journal-fields(7)
There are a lot more fields, _COMM is command.
This is a change in systemd-244
I believe. I do not understand why, but it used to work. For some reason it no longer does. It’s an upstream change, so, in due time other distributions will also see this no longer work.
Systemd guy says he opposite:
No changes in this area have been made upstream (and journalctl -u sshd
certainly works here with git master). Seems to be a downstream issue, please file a report against your distro.
Well, sorry, but, I was wrong. There doesn’t seem to be a regression here at all.
I went back as far as release 29510 or so (2+ years) and this behavior was always the case, so, it’s not a regression.
I don’t have a better solution than the _COMM=
method, sorry.