One of my KVM servers (2 Xeon E5-2680 v2, 1 AMD Vega 10 GPU, Ubuntu 20.04.1 LTS) became unresponsive last night. Of the 5 VMs running on the server, only one could be reached. The server itself refused SSH connections, and I could not even get a screen over HDMI. I did not see any other solution than to reset it. Having done that, I would like to better understand what was actually going on. The following journals are available on the system: # journalctl --list-boots -8 57c5ae37af1649379e82b349abb14f9d Sun 2020-05-24 20:25:57 CEST—Sun 2020-05-24 20:44:30 CEST -7 c617acfdd3854669bd114d1d033cd5a7 Sun 2020-05-24 20:45:01 CEST—Mon 2020-05-25 19:21:48 CEST -6 745df76c9d784907862118c7804a19ab Mon 2020-05-25 19:22:26 CEST—Mon 2020-05-25 19:42:17 CEST -5 9781df6fa3494c4588d0cf4a99678e84 Mon 2020-05-25 19:42:59 CEST—Thu 2020-06-04 04:53:20 CEST -4 db93d994719a4ee1ad8eb74932220898 Thu 2020-06-04 18:45:10 CEST—Thu 2020-06-04 19:16:38 CEST -3 c6007ce834bd4933805138523549677e Thu 2020-06-04 19:17:20 CEST—Thu 2020-08-20 18:35:54 CEST -2 c24b967697ce41a2ac6c1707936dc450 Thu 2020-08-20 18:36:23 CEST—Mon 2020-08-31 17:21:52 CEST -1 b1efda1e7a3b42d4ae9a20f0c3b06fcf Mon 2020-09-07 09:49:24 CEST—Mon 2020-09-07 09:59:49 CEST 0 f5de0a1534a7478e87847031156976d0 Mon 2020-09-07 10:00:19 CEST—Mon 2020-09-07 10:08:33 CEST As you may already see from the list, the last 7 days are missing, I don't actually have access to a journal leading up to the system error. Running journalctl --verify shows the following output. 1f23cc0: Invalid object File corruption detected at /var/log/journal/f9decb319623482392299509c566049a/system@0005a744de309d9e-3dfdf0e20f2b37de.journal~:1f23cc0 (of 33554432 bytes, 97%). FAIL: /var/log/journal/f9decb319623482392299509c566049a/system@0005a744de309d9e-3dfdf0e20f2b37de.journal~ (Bad message) PASS: /var/log/journal/f9decb319623482392299509c566049a/system@24f780e4155245c0a176021b285d8b61-0000000000000001-0005a744de2ec87d.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/user-1000@6da18e6709a04eb8809cb4af946ec557-00000000000008e3-0005a66900b2a7be.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/system@24f780e4155245c0a176021b285d8b61-0000000000010c89-0005a8cfc4df2d27.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/user-1000@6da18e6709a04eb8809cb4af946ec557-0000000000010c88-0005a8cfc4dec165.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/system@24f780e4155245c0a176021b285d8b61-000000000001b654-0005ab341293df34.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/user-1000@6da18e6709a04eb8809cb4af946ec557-000000000001bf95-0005ab56000dcbe1.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/system@0005aeb4750f8660-d0ac81b12520109c.journal~ PASS: /var/log/journal/f9decb319623482392299509c566049a/system@cf2a7210a86040e6aa7736d9b0a88e8b-0000000000000001-0005aeb4750dab5e.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/system.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/user-1000@6da18e6709a04eb8809cb4af946ec557-00000000000269b9-0005ad9c6a92da4a.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/user-1000.journal Reading through some of the obvious web search results, it seems that it is currently not possible to repair a corrupted journal, it's just gone. Frankly, I find it a bit strange when the systemd lead writes that he does not see a need for corrupt journalctl entries to be fixed but maybe it's just me. I'm really not sure what else to do. In my /var/log, I also have files called syslog but they also stop on August 31 and continue today. The same is true for kern. I looked through some other log files such as Xorg and dmesg. Honestly, I'm not even sure what to look for but nothing seems to jump at me. Xorg.log shows only one error that seems unlikely to be the culprit for my problems: [230912.637] (II) xfree86: Adding drm device (/dev/dri/card0) [230912.637] (EE) /dev/dri/card0: failed to set DRM interface version 1.4: Permission denied There seem to be no error or fail messages in dmesg. I mean, everything works currently but this error seems to repeat itself every few weeks. Which other steps can I take to get a better understanding of this issue?

I'm encountering an issue with journalctl filtering on systemd version 256 (256.10). I'm trying to view logs from the last 48 hours while excluding entries related to Syncthing, but I'm unable to achieve this using SYSLOG_IDENTIFIER filtering. I've tried the following approaches, all of which have failed to produce the expected results: 1.

journalctl --since "48 hours ago" SYSLOG_IDENTIFIER!=syncthing
   Error: Failed to add match 'SYSLOG_IDENTIFIER!=syncthing': Invalid argument

2.

journalctl --since "48 hours ago" SYSLOG_IDENTIFIER!="syncthing" SYSLOG_IDENTIFIER!="1i50cgkm5ycymi8kkk064w8x6xp6iywg-merge-syncthing-config"
   Result: -- No entries --

3.

journalctl --since "48 hours ago" SYSLOG_IDENTIFIER!~"syncthing"
   Result: -- No entries --

4. Listing all SYSLOG_IDENTIFIERs except Syncthing also resulted in no entries. The grep approach (journalctl --since "48 hours ago" | grep -v syncthing) works, but I'm specifically interested in using journalctl's native filtering capabilities. Could you please advise on the correct syntax for excluding specific SYSLOG_IDENTIFIERs in journalctl queries? Is this a known issue or limitation in the current version?

If I type sudo journalctl I get the system journal in some kind of a reader. Pressing j and k works like in Vi but G does not go to the end of the file. In fact, if press G, the stream freezes and I have forcibly terminate it. No mention of using the reader is in the man page for journalctl.

I'm using systemd on raspberrypi machine with yocto based system. Recently I had some problems with redirecting messages to rsyslog.socket so I decided to get rid of rsyslog completely in favour of of journald. After doing so I have noticed that size of journald files is much bigger than I previously thought it would be. root@rpiDev: ~ $ journalctl -o cat > /tmp/journals-cat.txt root@rpiDev: ~ $ journalctl -o export > /tmp/journals-exp.txt root@rpiDev: ~ $ journalctl -o verbose > /tmp/journals-verb.txt root@rpiDev: ~ $ journalctl -a -m > /tmp/journals.txt ### This is what I need! root@rpiDev: ~ $ journalctl -a -m -o verbose > /tmp/journals-everything.txt root@rpiDev: ~ $ du -sh /tmp/journals* /var/log/journal/ ; journalctl --disk-usage 468.0K /tmp/journals-cat.txt 15.7M /tmp/journals-everything.txt 4.7M /tmp/journals-exp.txt 4.9M /tmp/journals-verb.txt 2.3M /tmp/journals.txt 41.0M /var/log/journal/ Archived and active journals take up 12.5M on disk. Comparing the sizes it looks like binary files created by journald are much bigger than merged (-m) logs. What I actually need is what is inside /tmp/journals.txt. **Question:** Is it possible to reduce amount of stuff stored by journald in it's binary files to what I noticed when running journalctl -a -m? In other words: can I disable storing all of the information that is not important to me and use journald just as I would syslog? My problem can be solved by disabling permanent storing of journald logs and forwarding them to syslog, but maybe it is possible without bringing back rsyslog? EDIT: Parameters mentioned by some users do not help me here. - Using SystemMaxUse= and RuntimeMaxUse= only sets the maximum size of the files stored- I can have smaller files with the same amount of not needed info and therefore even less actual logs. - Using MaxLevel...= sets the maximum log level stored in the journal. That is also not what I need here. EDIT2: My solution: I have decided to store logs in syslog (I use rsyslog).
In my journald.conf I have set Storage=volatile and used SystemMaxUse=64M and RuntimeMaxUse=64M to limit disk usage by journald.
I also enabled ForwardToSyslog=yes so now I have my old syslog solution working and I'm also able to view runtime journald logs.

I need to know the hours of the reboots of a machine. The system used is Raspberry Pi OS Bookworm. However, I'm a bit confused about what I read... If I understand correctly, the first date will be the startup, and the second will be the shutdown. But in this case, I have multiple startups with conflicting information. Here's my output:

-9 78e891182c6e4686aec796bf8b69f7e3 Mon 2025-04-28 09:17:01 CEST Mon 2025-04-28 14:32:01 CEST
  -8 90301c02b7d9415b80109bc8cebe6d8f Mon 2025-04-28 14:17:01 CEST Mon 2025-04-28 16:15:01 CEST
  -7 d4a81802b6ff49f596858c72a912874b Mon 2025-04-28 15:17:01 CEST Mon 2025-04-28 15:17:01 CEST
  -6 cbbb35a537eb4abf94d34fed8a5591ab Mon 2025-04-28 15:17:01 CEST Mon 2025-04-28 16:19:01 CEST
  -5 4e6a8bb5edba49fbafed1cc600a63852 Mon 2025-04-28 16:18:01 CEST Mon 2025-04-28 16:21:01 CEST
  -4 3c7bb8dc1c4d4d1fa332faec48c14b92 Mon 2025-04-28 16:18:01 CEST Mon 2025-04-28 16:18:01 CEST
  -3 57da6dc6a9ef4621b7015cd96d74e54b Mon 2025-04-28 16:18:01 CEST Mon 2025-04-28 16:18:01 CEST
  -2 a78180d2c8844db484d6e380e88e93f5 Mon 2025-04-28 16:18:01 CEST Mon 2025-04-28 16:25:01 CEST
  -1 a27e260f7c724f8cbd3195f54e7e155c Mon 2025-04-28 16:18:01 CEST Mon 2025-04-28 16:29:01 CEST
   0 dc8a18268f83437ba40bbc9377c284dd Mon 2025-04-28 16:18:01 CEST Mon 2025-04-28 17:07:01 CEST

Entry -8 indicates a session from 14:17 to 16:15, but the following lines show reboots during this timespan. The same is true for entries from -5 to 0: they all show a boot at 16:18 but with different shutdown times. What exactly is happening here? Is this system boots or something else (like a user session)?

Recently, I noticed something strange. If I run the command sudo journalctl -f -u ModemManager in rxvt-unicode (left) and xterm (right), in rxvt-unicode the yellow does not appear when the message is a warning. Both terminals have TERM=xterm-256color and I noticed this problem only in yellow, as the red appears in both terminals. I tried different escape sequences, but I was not able to detect the problem. xterm Right: urxvt" class="img-fluid rounded" style="max-width: 100%; height: auto; margin: 10px 0;" loading="lazy">

systemctl status shows a Degraded state after following Chromeos Development Docs associated with and tweaking the ssh and sshd_config. I've got info about my Build&Machine specs and setup sharing&external guest and Host file&media I worked with journalctl -xe and failed status states found the cros-port-listener.service failures I ran --rotate to generate fresh logs associated with Container restarts with the same Degraded status.

By default my system had about ~500MB max size which had about 1 month of logs. System Journal (/var/log/journal/dd35c7606a5645c5acc9908470c45159) is 483.2M, max 491.5M, 8.2M free. No idea how the 491.5M limit was decided. I changed the below setting and restarted the system └──> grep SystemMaxUse /etc/systemd/journald.conf SystemMaxUse=25G Now the max journal size is 1.0G. Why is it not 25G? System Journal (/var/log/journal/dd35c7606a5645c5acc9908470c45159) is 568.6M, max 1.0G, 455.3M free. I do have enough free space (94%) in the disk └──> df -h /var/log/journal Filesystem Size Used Avail Use% Mounted on /dev/sda1 885G 50G 791G 6% /var How to increase max journal size even further? If possible, I would like to keep the default limit for 1 month but instead of deleting old journal files, save it some where where in can be queried on demand. **Update:** Just to clarify, my journal files are now deleted after 500MB cap, I want to increase the limit to 25G. Even after setting SystemMaxUse=25G, the limit does not increase past 1GB.

For some reason my server with SLES 15 SP4 is not keeping the log data in journalctl for more than 2 days. My journald.conf looks like this:

[Journal]
Storage=persistent
Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
SystemMaxUse=10G
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
MaxRetentionSec=2month
#MaxFileSec=1month
#ForwardToSyslog=no
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
#Audit=yes

But no matter what I try, no log is older than 2 days. I also tried with the

--since

and

--until

flag but still no luck. What can I do to make journald logs persistent?

On a host running Ubuntu 20.04 LTS I notice that, by default, journalctl (without root privileges) is the same as journalctl --utc, but with root privileges journalctl honors the time zone (as shown with timedatectl).

$ journalctl | tail -1 | tr -s ' ' | cut -d' ' -f 1-3
Sep 11 16:38:00

$ sudo journalctl | tail -1 | tr -s ' ' | cut -d' ' -f 1-3
Sep 11 13:38:13

$ timedatectl | grep "Time zone" | tr -s ' ' | cut -d' ' -f 5-6
(-03, -0300)

- I suspect Homebrew/linuxbrew is the culprit, even /home/linuxbrew/.linuxbrew/etc/systemd/journald.conf has all its line commented out, but:

$ which journalctl  # systemd 253 (253) from --version
    /home/linuxbrew/.linuxbrew/bin/journalctl
    $ sudo which journalctl  # systemd 245 (245.4-4ubuntu3.22) from --version
    /bin/journalctl

- There is no alias to journalctl What is the logic behind this behavior? How can I change that, so by default journalctl always use current system time zone?

I'm tailing logs of my own app and Postgres. tail -f /tmp/myapp.log /var/log/postgresql/postgresql.main.log I need to include pgpool 's logs. It used to be syslog, but now it is in journalctl. Is there a way to tie tail -f && journalctl -f together?

journalctl shows logs in the following format

Whenever I needed to get logs from a single unit I added -u flag journalctl -u . This works for most cases, but not for Flatpaks. Important to note that a "solution" with grep or awk is not accepted as it sends the entire log from all units to a simple text filter. This requres the user to create a more complicated filter so that no other logs from other applications are extracted. An explenation on why displayed names in the logs cannot always be used with -u flag would also be appreciated. Example:

> journalctl -b -1 -xe
...
Dec 29 18:05:51 hostname io.github.mrvladus.List.desktop: [DEBUG] Notifications: Check
Dec 29 18:05:51 hostname io.github.mrvladus.List.desktop: [DEBUG] Notifications: Check
Dec 29 18:05:51 hostname io.github.mrvladus.List.desktop: [DEBUG] Notifications: Check
Dec 29 18:05:51 hostname io.github.mrvladus.List.desktop: [DEBUG] Notifications: Check
...

> journalctl -b -1 -u io.github.mrvladus.List.desktop
Failed to add filter for units: No data available
> journalctl -b -1 -u io.github.mrvladus.List.desktop
-- No entries --
> journalctl -b -1 -u List.desktop
-- No entries --
> journalctl -b -1 -u flatpak-app-io.github.mrvladus.List.desktop
-- No entries --
> journalctl -b -1 -u flatpak-app-io.github.mrvladus.List.scope
-- No entries --

from https://unix.stackexchange.com/a/170396/416910 I found that

systemctl list-unit-files --all

would list all units that could generate logs. That output does not contain anything that is similar to io.github.mrvladus.List in my case. So how can it generate logs if it's not in that list? This question is similar to https://unix.stackexchange.com/questions/416548/why-journalctl-does-not-display-log-message-if-i-use-filtering-by-unit , but OP claims that it was a bug which was fixed in version 236. He never clarified whether upgrading actually fixed his issue.

> journalctl --version
systemd 257 (257.1-1-arch)
+PAM +AUDIT -SELINUX -APPARMOR -IMA +IPE +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +BTF +XKBCOMMON +UTMP -SYSVINIT +LIBARCHIVE

I'm trying to disable the display of my laptop with the following cli:

`
xrandr --output LVDS-1 --off

` The display immediately disables but then the laptop **REBOOTS** sometime after 0~600 seconds. I've tried some debug, but no success so far: - External display works fine. ie: properly disabled by xrandr --output HDMI-1 --off and no system reboot. - journalctl is posted bellow, but I could not decipher it. - HandleLidSwitch=ignore and others makes no difference. Any idea what might be happening? ----------------------- ### Additional Info ### - **Notebook:** Gateway NE56R - **CPU:** Intel Pentium 2020M - **Operating System:** Debian GNU/Linux 12.8 ### Debug: External Display ### I've plugged an external HDMI display and run:

`
xrandr --output HDMI-1 --off

` Everything seems to work fine. Ie: the display immediately was disabled and the laptop did not rebooted. ### Debug: journalctl ##### Most of the time I see nothing unusual at journalctl. However, sometimes I get the following log after the xrandr:

`
root@debian:~# journalctl --boot=-1 | tail -n 25
Dec 27 00:26:03 debian systemd: user-108.slice: Consumed 1.497s CPU time.
Dec 27 00:26:13 debian systemd: systemd-hostnamed.service: Deactivated successfully.
Dec 27 00:26:21 debian dbus-daemon: [session uid=0 pid=771] Activating via systemd: service name='org.freedesktop.portal.Desktop' unit='xdg-desktop-portal.service' requested by ':1.26' (uid=0 pid=1015 comm="xscreensaver-settings")
Dec 27 00:26:21 debian systemd: Starting xdg-desktop-portal.service - Portal service...
Dec 27 00:26:21 debian dbus-daemon: [session uid=0 pid=771] Activating via systemd: service name='org.freedesktop.portal.Documents' unit='xdg-document-portal.service' requested by ':1.27' (uid=0 pid=1018 comm="/usr/libexec/xdg-desktop-portal")
Dec 27 00:26:21 debian systemd: Starting xdg-document-portal.service - flatpak document portal service...
Dec 27 00:26:21 debian dbus-daemon: [session uid=0 pid=771] Activating via systemd: service name='org.freedesktop.impl.portal.PermissionStore' unit='xdg-permission-store.service' requested by ':1.28' (uid=0 pid=1022 comm="/usr/libexec/xdg-document-portal")
Dec 27 00:26:21 debian systemd: Starting xdg-permission-store.service - sandboxed app permission store...
Dec 27 00:26:21 debian dbus-daemon: [session uid=0 pid=771] Successfully activated service 'org.freedesktop.impl.portal.PermissionStore'
Dec 27 00:26:21 debian systemd: Started xdg-permission-store.service - sandboxed app permission store.
Dec 27 00:26:21 debian dbus-daemon: [session uid=0 pid=771] Successfully activated service 'org.freedesktop.portal.Documents'
Dec 27 00:26:21 debian systemd: Started xdg-document-portal.service - flatpak document portal service.
Dec 27 00:26:21 debian xdg-document-portal: Ignoring invalid max threads value 4294967295 > max (100000).
Dec 27 00:26:21 debian dbus-daemon: [session uid=0 pid=771] Activating via systemd: service name='org.freedesktop.impl.portal.desktop.gtk' unit='xdg-desktop-portal-gtk.service' requested by ':1.27' (uid=0 pid=1018 comm="/usr/libexec/xdg-desktop-portal")
Dec 27 00:26:21 debian systemd: Starting xdg-desktop-portal-gtk.service - Portal service (GTK/GNOME implementation)...
Dec 27 00:26:21 debian dbus-daemon: [session uid=0 pid=771] Successfully activated service 'org.freedesktop.impl.portal.desktop.gtk'
Dec 27 00:26:21 debian systemd: Started xdg-desktop-portal-gtk.service - Portal service (GTK/GNOME implementation).
Dec 27 00:26:21 debian rtkit-daemon: Supervising 0 threads of 0 processes of 0 users.
Dec 27 00:26:21 debian rtkit-daemon: Supervising 0 threads of 0 processes of 0 users.
Dec 27 00:26:21 debian rtkit-daemon: Supervising 0 threads of 0 processes of 0 users.
Dec 27 00:26:21 debian xdg-desktop-portal: pw.conf: can't load config client.conf: No such file or directory
Dec 27 00:26:21 debian xdg-desktop-portal: pw.conf: can't load default config client.conf: No such file or directory
Dec 27 00:26:21 debian xdg-desktop-por: Failed connect to PipeWire: Couldn't create PipeWire context
Dec 27 00:26:21 debian dbus-daemon: [session uid=0 pid=771] Successfully activated service 'org.freedesktop.portal.Desktop'
Dec 27 00:26:21 debian systemd: Started xdg-desktop-portal.service - Portal service.

` Unfortunately, IDK whether this log is an issue or not. ### Debug: HandleLidSwitch and others ### I've also modified /etc/systemd/logind.conf and changed the HandleLidSwitch line to HandleLidSwitch=ignore. Similar to several other lines:

HandlePowerKey=ignore
HandlePowerKeyLongPress=ignore
HandleRebootKey=ignore
HandleRebootKeyLongPress=ignore
HandleSuspendKey=ignore
HandleSuspendKeyLongPress=ignore
HandleHibernateKey=ignore
HandleHibernateKeyLongPress=ignore
HandleLidSwitch=ignore
HandleLidSwitchExternalPower=ignore
HandleLidSwitchDocked=ignore

Unfortunately, nothing happened (ie: system still reboots after xrandr).

I am trying to use sd_journal_print_with_location() function.

#include 

int main() {
    sd_journal_print_with_location(LOG_INFO, "CODE_FILE=tst_file.c", "CODE_LINE=123", "main", "message");
    return 0;
}

And then execute:

$ gcc -o tst_file tst_file.c -lsystemd
$ ./tst_file
$ journalctl --identifier=tst_file
Dec 11 12:29:17 MYBOX tst_file: message

So the question is: Where are file, line, and func fields? Why cannot I see them with the journalctl? What am I doing wrong?

I know that dmesg and journalctl record commands logs invoked by my operating-system. From the manpages: > dmesg is used to examine or control the kernel ring buffer. > > The default action is to display all messages from the kernel ring buffer. > journalctl may be used to query the contents of the systemd journal as written by systemd-journald.service > > [...] > > -k, --dmesg Show only kernel messages. **Why do 2 recorders exist**, what types of messages should I expect to see within each of them, and what are the differences in their life cycles?

journalctl has the -o short-unix flag that I can use to change the output date format on stuff like -t systemd-sleep. But the only way I've found to list boots is --list-boots, and this doesn't seem to obey the -o flag. Is there a way to make journalctl list boots with unix timestamps? Since systemd is here to stay I fear other methods might break in the future, but I'm open to those suggestions too.

I have a systemd servie unit template that takes arguments: my.service.unit@.service. I call it with: systemctl start my.service.unit@argument.service But I can't figure out how to call any use of my template in the journalctl logs without specifying SyslogIdentifier in the unit file and using journalctl SYSLOG_IDENTIFIER=my.identifier -n10. This seems a tiny bit hacky to me. Is there a better way? I've tried: journalctl _SYSTEMD_UNIT=my.service.unit@.service -n10 but no luck.

## The Question How can I exclude inconsequential¹ failed SSH logins? ## Background For ambient awareness, I like to have little background windows showing system error logs on every GNU/Linux box I admin. I used to do this with xconsole, but now use xterm running journalctl -f. Unfortunately, on the machines where ssh is a needed service, the journalctl log is a constant stream of clutter from crackers trying to ssh in with lists of common names/passwords.² I see failures scrolling in every second for accounts that don't even exist. This makes it hard to see anything else in my console log. ## Solutions? I don't know systemd half as well as I ought, so it's possible there's a slick, simple answer, but I haven't found one yet.³ Any solution is welcome. I suspect it's going to entail messing around with pam, journalctl, and/or grep -v. I'm looking for a solution which still shows me attempts against existing accounts. However, if that is too difficult, I'll accept an answer which hides all failed login attempts. ## Journalctl examples Do not show the following:

Dec 12 17:19:21 gaia sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.59.90.40  user=root
Dec 12 17:19:21 gaia sshd: Invalid user git from 14.29.201.30
Dec 12 17:19:21 gaia sshd: input_userauth_request: invalid user git [preauth]
Dec 12 17:19:21 gaia sshd: pam_unix(sshd:auth): check pass; user unknown
Dec 12 17:19:21 gaia sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=14.29.201.30
Dec 12 17:19:22 gaia sshd: Invalid user molisoft from 5.135.152.97
Dec 12 17:19:22 gaia sshd: input_userauth_request: invalid user molisoft [preauth]
Dec 12 17:19:22 gaia sshd: pam_unix(sshd:auth): check pass; user unknown
Dec 12 17:19:22 gaia sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=5.135.152.97
Dec 12 17:19:23 gaia sshd: Failed password for root from 139.59.90.40 port 37752 ssh2
Dec 12 17:19:23 gaia sshd: Received disconnect from 139.59.90.40: 11: Bye Bye [preauth]
Dec 12 17:19:23 gaia sshd: Failed password for invalid user git from 14.29.201.30 port 41178 ssh2
Dec 12 17:19:23 gaia sshd: Received disconnect from 14.29.201.30: 11: Bye Bye [preauth]
Dec 12 17:19:24 gaia sshd: Failed password for invalid user molisoft from 5.135.152.97 port 50730 ssh2
Dec 12 17:19:24 gaia sshd: Received disconnect from 5.135.152.97: 11: Bye Bye [preauth]

But do show valid logins:

Dec 10 08:56:16 gaia sshd: Accepted publickey for sophia from 24.22.130.192 port 41610 ssh2: RSA 6b:5f:aa:9c:d8:33:65:2c:c4:0c:88:12:ec:9b:ff:51
Dec 10 08:56:16 gaia sshd: pam_unix(sshd:session): session opened for user sophia by (uid=0)
Dec 10 21:06:37 gaia sshd: pam_unix(sshd:session): session closed for user sophia

Also show failed attempts on valid accounts (other than root):

Dec 12 00:46:28 gaia sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.9.134  user=sophia
Dec 12 00:46:30 gaia sshd: Failed password for sophia from 192.168.9.134 port 55888 ssh2
Dec 12 00:46:33 gaia sshd: Connection closed by authenticating user sophia 192.168.9.134 port 55888 [preauth]

And, of course, any service which is _not_ sshd should be shown.

Dec 10 08:56:16 gaia systemd: Started User Manager for UID 3237.

____ ¹ Defined as "username does not exist" or "username is root". Root ssh is disabled on my boxen. ² I do use fail2ban. It helps, but the attempts are coming from too many IP addresses. ³ E.g., journalctl allows one to grep, but not grep -v to exclude certain criteria.

I've gotten my systemd-journald-remote.service up and running, with (1) test client connecting successfully via systemd-journald-upload.service. When I normally tail journald logs, I use journalctl -fxb. I tried the same with the remote journald file, using:

sudo journalctl -fxb --file=/var/log/journal/remote/remote-192.168.122.22.journal

and it also works. Here is the problem: while the remote system is running, everything works as expected. However, when the remote system reboots, the remote server logs are still being forwarded, but the current tail stops updating. A restart of the tail command works, but I'd like to avoid doing this, especially when I want to add about 30+ systems. What am I doing wrong>

While working with my services, and looking for the output using "Journalctl". I found there is miss behavior in my service and two running boots logging and alternate together. Could some one explain this behavior .

journalctl --list-boots
Hint: You are currently not seeing messages from other users and the system.
      Users in groups 'adm', 'systemd-journal' can see all messages.
      Pass -q to turn off this notice.
-2 5c6b3e40d96e4859a68d904493976d01 Sun 2022-09-11 05:40:29 UTC—Mon 2022-09-12 13:29:14 UTC
-1 f92edf9426d244748a5a07e811bdada0 Mon 2022-09-12 18:08:30 UTC—Tue 2022-09-13 18:58:40 UTC
 0 ac0f169caa814d698fc38bde2e702b9d Sun 2022-09-18 11:56:08 UTC—Sun 2022-09-18 14:25:50 UTC

sudo journalctl -u xxx_serial.service  --since "2022-09-18 07:00:00" --until "2022-09-18 07:01:00"
-- Journal begins at Sat 2022-09-10 21:23:41 UTC, ends at Sun 2022-09-18 14:43:00 UTC. --
Sep 18 07:00:00 DeviceName sudo: post xxx datas
Sep 18 07:00:00 DeviceName sudo: get_xxx_datas
Sep 18 07:00:00 DeviceName sudo: Server 2022-09-18 06:53:34.550670
Sep 18 07:00:00 DeviceName sudo: send_list_url_log_err
Sep 18 07:00:00 DeviceName sudo: 200 b''
-- Boot ac0f169caa814d698fc38bde2e702b9d --
Sep 18 07:00:02 DeviceName systemd: Started My service.
Sep 18 07:00:02 DeviceName sudo:     root : PWD=/home/xxx/deploy ; USER=root ; COMMAND=/usr/bin/script -f -q -a -c sudo /usr/bin/python3 Main.py logs/xxx_serial.log
Sep 18 07:00:02 DeviceName sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Sep 18 07:00:02 DeviceName sudo:     root : TTY=pts/2 ; PWD=/home/xxx/deploy ; USER=root ; COMMAND=/usr/bin/python3 Main.py
Sep 18 07:00:02 DeviceName sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Sep 18 07:00:02 DeviceName sudo: xxx Start: 2022-09-18T07:00:02.777663+00:00
-- Boot 2f9f72851671475095c6d4f3629836d0 --
Sep 18 07:00:03 DeviceName sudo: post xxx datas
Sep 18 07:00:03 DeviceName sudo: get_xxx_datas
Sep 18 07:00:03 DeviceName sudo: Server 2022-09-18 06:53:37.600670
Sep 18 07:00:03 DeviceName sudo: send_list_url_log_err
Sep 18 07:00:03 DeviceName sudo: 200 b''
-- Boot ac0f169caa814d698fc38bde2e702b9d --
Sep 18 07:00:04 DeviceName sudo: read_port
Sep 18 07:00:04 DeviceName sudo: 2.0553 seconds
Sep 18 07:00:04 DeviceName sudo: send set Freq
Sep 18 07:00:04 DeviceName sudo: 5508050d5a019203008016aa
Sep 18 07:00:04 DeviceName sudo: reset_unsend_datalogs
Sep 18 07:00:04 DeviceName sudo: True
Sep 18 07:00:04 DeviceName sudo: post xxx datas
Sep 18 07:00:04 DeviceName sudo: get_xxx_datas
Sep 18 07:00:04 DeviceName sudo: Server 2022-09-18 07:01:24.150670
Sep 18 07:00:04 DeviceName sudo: send_list_url_log_err
Sep 18 07:00:05 DeviceName sudo: send_list_url_log_err HTTPSConnectionPool(host='rnd.spectraqual.com', port=443): Max retries exceeded with url: /backend/api/LogWS/ (Caused by NewConnectionError('
-- Boot 2f9f72851671475095c6d4f3629836d0 --
Sep 18 07:00:06 DeviceName sudo: post xxx datas
Sep 18 07:00:06 DeviceName sudo: get_xxx_datas
Sep 18 07:00:06 DeviceName sudo: Server 2022-09-18 06:53:40.550670
Sep 18 07:00:06 DeviceName sudo: send_list_url_log_err
Sep 18 07:00:06 DeviceName sudo: 200 b''
-- Boot ac0f169caa814d698fc38bde2e702b9d --
Sep 18 07:00:07 DeviceName sudo: timeout set xxx
Sep 18 07:00:07 DeviceName sudo: 1663484407.88298 1663484402.232106
Sep 18 07:00:07 DeviceName sudo: 1663484407.88298 1663484407.88298
Sep 18 07:00:07 DeviceName sudo: send set xxx period multiplier
Sep 18 07:00:07 DeviceName sudo: 5509020b5a010001aa
Sep 18 07:00:07 DeviceName sudo: post xxx datas
Sep 18 07:00:07 DeviceName sudo: get_xxx_datas
Sep 18 07:00:07 DeviceName sudo: Server 2022-09-18 07:00:02.482106
Sep 18 07:00:07 DeviceName sudo: send_list_url_log_err
Sep 18 07:00:07 DeviceName sudo: send_list_url_log_err HTTPSConnectionPool(host='rnd.spectraqual.com', port=443): Max retries exceeded with url: /backend/api/LogWS/ (Caused by NewConnectionError('
-- Boot 2f9f72851671475095c6d4f3629836d0 --
Sep 18 07:00:09 DeviceName sudo: post xxx datas
Sep 18 07:00:09 DeviceName sudo: get_xxx_datas
Sep 18 07:00:09 DeviceName sudo: Server 2022-09-18 06:53:43.600670
Sep 18 07:00:09 DeviceName sudo: send_list_url_log_err
Sep 18 07:00:09 DeviceName sudo: 200 b''