LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Monitoring login and su messages using journalctl (https://www.linuxquestions.org/questions/linux-newbie-8/monitoring-login-and-su-messages-using-journalctl-4175600022/)

fanoflq 02-17-2017 03:48 PM

Monitoring login and su messages using journalctl
 
Monitoring login log messages using journalctl

I know I can monitor login message like so:
Code:

[root@server1 log]# tail -f -n 3 /var/log/secure
Feb 17 07:17:40 server1 unix_chkpwd[4877]:
password check failed for user (lisa)

Feb 17 07:17:40 server1 su: pam_unix(su-l:auth):
authentication failure; logname=user1 uid=1000
euid=0 tty=pts/2 ruser=user1 rhost=  user=lisa

Feb 17 07:17:43 server1 su: pam_ldap(su-l:auth):
error reading from nslcd: Connection reset by peer

For above result, I purposely failed login for user lisa using this command:
Code:

su - lisa
So I thought I try using journalctl to follow login log messages:
Code:

[root@server1 log]# journalctl -f -n 3 _SYSTEMD_UNIT=systemd-logind.service
-- Logs begin at Fri 2017-02-17 04:53:07 MST. --
Feb 17 04:55:32 server1.example.com systemd-logind[701]: New session 2 of user root.
Feb 17 06:12:24 server1.example.com systemd-logind[701]: New session 13 of user root.
Feb 17 06:43:57 server1.example.com systemd-logind[701]: New session 17 of user user1.
^C

BUT it does not work for su command.
What is the fix to using journalctl for viewing login events like su command?
Thank you.

norobro 02-17-2017 07:28 PM

This works on my machine:
Code:

$ journalctl -f -n3 -t su
From the journalctl man page:
Quote:

-t, --identifier=SYSLOG_IDENTIFIER
Show messages for the specified syslog identifier SYSLOG_IDENTIFIER.

To see all of the fields execute:
Code:

$ journalctl -o verbose
From the man page:
Quote:

-o, --output=
Controls the formatting of the journal entries that are shown. Takes one of the
following options:
...
verbose
shows the full-structured entry items with all fields.
...


fanoflq 02-17-2017 08:01 PM

@norobro:
Thank you.

I am adding this for future reference.
Quote:

-t, --identifier=SYSLOG_IDENTIFIER|PATTERN
Show messages for the specified syslog identifier
SYSLOG_IDENTIFIER, or for any of the messages
with a "SYSLOG_IDENTIFIER" matched by PATTERN.

Where can I find definitions of SYSLOG_IDENTIFIER?

Quote:

man systemd.journal-fields
SYSLOG_FACILITY=, SYSLOG_IDENTIFIER=, SYSLOG_PID=
Syslog compatibility fields containing
the facility (formatted as decimal string),
the identifier string (i.e. "tag"),
and the client PID. (Note that the
tag is usually derived from glibc's
program_invocation_short_name variable,
see program_invocation_short_name(3).)
... ....
which leads to this ....

Quote:

man program_invocation_short_name
DESCRIPTION
program_invocation_name contains the
name that was used to invoke the calling
program. This is the same as the value
of argv[0] in main(), with the difference
that the scope of program_invocation_name is global.

program_invocation_short_name contains
the basename component of name that was
used to invoke the calling program.
That is, it is the same value as
program_invocation_name, with all
text up to and including the final
slash (/), if any, removed.
..... .....


All times are GMT -5. The time now is 07:03 AM.