16 Nov
2018
16 Nov
'18
1 a.m.
On Fri, Nov 16, 2018 at 01:43:17AM +0100, Maxe wrote:
Hi,
One of our systems, running ARCH Linux, was compromised (a non-privileged account, fortunately). But, we could not find /var/log/auth.log or similar for investigation. Does the journal keep track of login attempts? It seems that ARCH does not run [r]syslogd.
If you want authpriv messages, then run "journalctl SYSLOG_FACILITY=10". See https://en.wikipedia.org/wiki/Syslog#Facility for mapping between numerical and mnemonic facility IDs. Oh, and do install syslog-ng :) Cheers, -- Leonid Isaev