journalctl

https://www.loggly.com/ultimate-guide/using-journalctl/ https://www.digitalocean.com/community/tutorials/how-to-use-journalctl-to-view-and-manipulate-systemd-logs

search by user

journalctl _UID=<uid>

search by command

journalctl /usr/bin/sudo
journalctl $(which sudo)
journalctl -t sudo

-t show syslog identifier

show all available values for _SYSTEMD_UNIT http://0pointer.de/blog/projects/journalctl.html

journalctl -F _SYSTEMD_UNIT

show login attempts

journalctl _SYSTEMD_UNIT=systemd-logind.service
journalctl _SYSTEMD_UNIT=systemd-logind.service --since today
journalctl _SYSTEMD_UNIT=systemd-logind.service --since yyyy-mm-dd

journalctl _SYSTEMD_UNIT=gdm.service --since yy-mm-dd
sudo grep -A1 "plugin=panel" /home/<user>/.kde/share/config/plasma-desktop-appletsrc

clear old logs

journalctl --vacuum-time=2d #retain last 2 days
journalctl --vacuum-size=500M #retain last 500MB

systemctl