On Fri, Nov 16, 2018 at 01:43:17AM +0100, Maxe wrote: > Hi, > > One of our systems, running ARCH Linux, was compromised (a non-privileged > account, fortunately). But, we could not find /var/log/auth.log or similar > for investigation. Does the journal keep track of login attempts? It seems > that ARCH does not run [r]syslogd. If you want authpriv messages, then run "journalctl SYSLOG_FACILITY=10". See https://en.wikipedia.org/wiki/Syslog#Facility for mapping between numerical and mnemonic facility IDs. Oh, and do install syslog-ng :) Cheers, -- Leonid Isaev
