16 Nov
2018
16 Nov
'18
1:04 a.m.
On 16/11/2018 00:43, Maxe wrote:
Hi,
One of our systems, running ARCH Linux, was compromised (a non-privileged account, fortunately). But, we could not find /var/log/auth.log or similar for investigation. Does the journal keep track of login attempts?
Yes. journalctl allows access to the logs from sshd, `journalctl -u sshd` Also, https://classic.startpage.com/do/search?q=arch+auth.log points to: https://wiki.archlinux.org/index.php/systemd#Facility which says:
* Show auth.log equivalent by filtering on syslog facility:
# journalctl SYSLOG_FACILITY=10
which is worth a go.