-   Linux - Newbie (
-   -   Monitoring login and su messages using journalctl (

fanoflq 02-17-2017 03:48 PM

Monitoring login and su messages using journalctl
Monitoring login log messages using journalctl

I know I can monitor login message like so:

[root@server1 log]# tail -f -n 3 /var/log/secure
Feb 17 07:17:40 server1 unix_chkpwd[4877]:
password check failed for user (lisa)

Feb 17 07:17:40 server1 su: pam_unix(su-l:auth):
authentication failure; logname=user1 uid=1000
euid=0 tty=pts/2 ruser=user1 rhost=  user=lisa

Feb 17 07:17:43 server1 su: pam_ldap(su-l:auth):
error reading from nslcd: Connection reset by peer

For above result, I purposely failed login for user lisa using this command:

su - lisa
So I thought I try using journalctl to follow login log messages:

[root@server1 log]# journalctl -f -n 3 _SYSTEMD_UNIT=systemd-logind.service
-- Logs begin at Fri 2017-02-17 04:53:07 MST. --
Feb 17 04:55:32 systemd-logind[701]: New session 2 of user root.
Feb 17 06:12:24 systemd-logind[701]: New session 13 of user root.
Feb 17 06:43:57 systemd-logind[701]: New session 17 of user user1.

BUT it does not work for su command.
What is the fix to using journalctl for viewing login events like su command?
Thank you.

norobro 02-17-2017 07:28 PM

This works on my machine:

$ journalctl -f -n3 -t su
From the journalctl man page:

-t, --identifier=SYSLOG_IDENTIFIER
Show messages for the specified syslog identifier SYSLOG_IDENTIFIER.

To see all of the fields execute:

$ journalctl -o verbose
From the man page:

-o, --output=
Controls the formatting of the journal entries that are shown. Takes one of the
following options:
shows the full-structured entry items with all fields.

fanoflq 02-17-2017 08:01 PM

Thank you.

I am adding this for future reference.

Show messages for the specified syslog identifier
SYSLOG_IDENTIFIER, or for any of the messages
with a "SYSLOG_IDENTIFIER" matched by PATTERN.

Where can I find definitions of SYSLOG_IDENTIFIER?


man systemd.journal-fields
Syslog compatibility fields containing
the facility (formatted as decimal string),
the identifier string (i.e. "tag"),
and the client PID. (Note that the
tag is usually derived from glibc's
program_invocation_short_name variable,
see program_invocation_short_name(3).)
... ....
which leads to this ....


man program_invocation_short_name
program_invocation_name contains the
name that was used to invoke the calling
program. This is the same as the value
of argv[0] in main(), with the difference
that the scope of program_invocation_name is global.

program_invocation_short_name contains
the basename component of name that was
used to invoke the calling program.
That is, it is the same value as
program_invocation_name, with all
text up to and including the final
slash (/), if any, removed.
..... .....

All times are GMT -5. The time now is 07:03 AM.