Monitoring login log messages using journalctl
I know I can monitor login message like so:
Code:
[root@server1 log]# tail -f -n 3 /var/log/secure
Feb 17 07:17:40 server1 unix_chkpwd[4877]:
password check failed for user (lisa)
Feb 17 07:17:40 server1 su: pam_unix(su-l:auth):
authentication failure; logname=user1 uid=1000
euid=0 tty=pts/2 ruser=user1 rhost= user=lisa
Feb 17 07:17:43 server1 su: pam_ldap(su-l:auth):
error reading from nslcd: Connection reset by peer
For above result, I
purposely failed login for user lisa using this command:
So I thought I try using journalctl to follow login log messages:
Code:
[root@server1 log]# journalctl -f -n 3 _SYSTEMD_UNIT=systemd-logind.service
-- Logs begin at Fri 2017-02-17 04:53:07 MST. --
Feb 17 04:55:32 server1.example.com systemd-logind[701]: New session 2 of user root.
Feb 17 06:12:24 server1.example.com systemd-logind[701]: New session 13 of user root.
Feb 17 06:43:57 server1.example.com systemd-logind[701]: New session 17 of user user1.
^C
BUT it does not work for su command.
What is the fix to using journalctl for viewing login events like su command?
Thank you.