On 16/11/2018 00:43, Maxe wrote: > Hi, > > One of our systems, running ARCH Linux, was compromised (a > non-privileged account, fortunately). But, we could not find > /var/log/auth.log or similar for investigation. Does the journal keep > track of login attempts?
Yes. journalctl allows access to the logs from sshd, `journalctl -u sshd` Also, https://classic.startpage.com/do/search?q=arch+auth.log points to: https://wiki.archlinux.org/index.php/systemd#Facility which says: > * Show auth.log equivalent by filtering on syslog facility: > > # journalctl SYSLOG_FACILITY=10 which is worth a go.
signature.asc
Description: OpenPGP digital signature
