journalctl
https://www.loggly.com/ultimate-guide/using-journalctl/ https://www.digitalocean.com/community/tutorials/how-to-use-journalctl-to-view-and-manipulate-systemd-logs
search by user
journalctl _UID=<uid>search by command
journalctl /usr/bin/sudo
journalctl $(which sudo)
journalctl -t sudo-t show syslog identifier