Ask Your Question

Finding SSHD logs and log filtering

asked 2015-01-31 00:02:02 -0500

Gr4cchus gravatar image

So through the stuff i read the logs are suppose to bein /var/log/secure but i havent found anything like that in fedora 21 which im assuming is because of the systemd change which in that case you would use journalctl _COMM=sshd or journalctl _SYSTEMD_UNIT=sshd.service if there is another service running in parallel?

Well my question is how do i filter out this even more like the entries listed after [14377]: like input_userauth or a user here is a example: Jan 30 15:48:30 localhost.localdomain sshd[14377]: input_userauth_request: invalid user admin [preauth]

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2015-02-01 00:40:59 -0500

hedayat gravatar image

Yes, you can also use -u as a shortcut (rather than _SYSTEMD_UNIT), and it also accept patterns rather than exact unit names. Also, the .service part is optional: journalctl -u sshd would also work. You can also filter messages based on number of boots, or by date.

I have not seen any pattern based message filtering in journalctl; but you can do what I do: use grep!

journalctl -u sshd | grep "input_userauth_request:"
edit flag offensive delete link more


Nice, is there one for _COMM ?

Gr4cchus gravatar imageGr4cchus ( 2015-02-18 22:05:00 -0500 )edit

You're welcome. What? A shortcut? AFAIK No (according to man journalctl). Additionally, -u includes additional matches for messages from systemd and messages about coredumps for the specified unit

hedayat gravatar imagehedayat ( 2015-02-19 14:37:41 -0500 )edit

On my Fedora 21, I'm told that -u is an invalid option

dhjdhj gravatar imagedhjdhj ( 2015-07-05 06:38:30 -0500 )edit

Did you type the command (rather than copy-pasting it)? It should work! Either there is something wrong with the command you typed, or with your system! Also, you can try journalctl --help | grep unit to see if it lists -u.

hedayat gravatar imagehedayat ( 2015-07-05 16:57:07 -0500 )edit

Question Tools

1 follower


Asked: 2015-01-31 00:02:02 -0500

Seen: 6,395 times

Last updated: Feb 01 '15