https://www.loggly.com/ultimate-guide/using-journalctl/ https://www.digitalocean.com/community/tutorials/how-to-use-journalctl-to-view-and-manipulate-systemd-logs

search by user

journalctl _UID=<uid>

search by command

journalctl /usr/bin/sudo
journalctl $(which sudo)
journalctl -t sudo
-t show syslog identifier

systemctl