journalctl

by compnent path (e.g) ssh

journalctl -r /usr/sbin/sshd journalctl /usr/bin/bash

 by other services

journalctl -u nginx.service

journalctl -u nginx.service -u php-fpm.service --since today

for last boot

journalctl -b

since a time

journalctl --since "2023-07-29 15:00:00"

since / until

journalctl --since "2023-07-20" --until "2023-07-21 03:00"

journalctl --since yesterday

journalctl --since 09:00 --until "1 hour ago"

 show errors only

journalctl -p err -b

following logs

journalctl -f

 display recent logs

journalctl -n

journalctl -n 20

 Logins and failed logins

(journalctl is the best tool. If auditd is running, the messages can't be even spoofed. See here for a good explanation:)more

  • show logins journalctl -q _AUDIT_TYPE=1112 _TRANSPORT=audit
  • show failed logins journalctl -q _AUDIT_TYPE=1112 _TRANSPORT=audit | grep failed
  • also journalctl -u 'systemd-logind' --since "today" --until "tomorrow"

config

/etc/systemd/journald.conf

more