MESSAGE=anthony … USER=root <— Does this mean that the root user is the actual user but “anthony” will be displayed as being the user anyway?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















I found this in /run/log/journal/...



MESSAGE=anthony : TTY=pts/10 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/find / -name *systemctI*


I'm wondering what this means? I'm suspicious of this process "systemctI" since it's one letter off from systemctl. And I was doing some digging and found the above in a log file.



What does it mean? I have a feeling it means the process is using the root user but is pretending to use "anthony." Is this correct?










share|improve this question
























  • The real systemctl ends with an L, but the one in my logs ends with an capital i.

    – Tony Friz
    Feb 14 at 19:37















0















I found this in /run/log/journal/...



MESSAGE=anthony : TTY=pts/10 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/find / -name *systemctI*


I'm wondering what this means? I'm suspicious of this process "systemctI" since it's one letter off from systemctl. And I was doing some digging and found the above in a log file.



What does it mean? I have a feeling it means the process is using the root user but is pretending to use "anthony." Is this correct?










share|improve this question
























  • The real systemctl ends with an L, but the one in my logs ends with an capital i.

    – Tony Friz
    Feb 14 at 19:37













0












0








0








I found this in /run/log/journal/...



MESSAGE=anthony : TTY=pts/10 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/find / -name *systemctI*


I'm wondering what this means? I'm suspicious of this process "systemctI" since it's one letter off from systemctl. And I was doing some digging and found the above in a log file.



What does it mean? I have a feeling it means the process is using the root user but is pretending to use "anthony." Is this correct?










share|improve this question
















I found this in /run/log/journal/...



MESSAGE=anthony : TTY=pts/10 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/find / -name *systemctI*


I'm wondering what this means? I'm suspicious of this process "systemctI" since it's one letter off from systemctl. And I was doing some digging and found the above in a log file.



What does it mean? I have a feeling it means the process is using the root user but is pretending to use "anthony." Is this correct?







ubuntu security logs users






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 14 at 19:39









Kusalananda

135k17255418




135k17255418










asked Feb 14 at 18:28









Tony FrizTony Friz

1085




1085












  • The real systemctl ends with an L, but the one in my logs ends with an capital i.

    – Tony Friz
    Feb 14 at 19:37

















  • The real systemctl ends with an L, but the one in my logs ends with an capital i.

    – Tony Friz
    Feb 14 at 19:37
















The real systemctl ends with an L, but the one in my logs ends with an capital i.

– Tony Friz
Feb 14 at 19:37





The real systemctl ends with an L, but the one in my logs ends with an capital i.

– Tony Friz
Feb 14 at 19:37










1 Answer
1






active

oldest

votes


















1














The syntax matches log messages generated by sudo, but if you are viewing it from systemd's journal files, then it might not have the normal syslog-style <timestamp> <hostname> <program name>: prefix.



The journal files are in a binary format, so they're best viewed using the journalctl command or some other systemd-specific viewer. If you just look for text among the binary data, you'll miss the timestamps and other important metadata.



Assuming this is in fact generated by sudo, it would mean that user anthony had a session running on a pseudo-TTY pts/10 (= might be a terminal window in a local GUI session, or e.g. a remote SSH session), cd'd to the root directory, and ran a command sudo find / -name *systemctI*.



last anthony | grep pts/10 might give you more information on whether the session was a local terminal window or a remote session, and when the session might have happened. If the 3rd field of the last output says :0, then that is a local X11 GUI session; otherwise it should have the source IP address of the remote session.






share|improve this answer























  • Ah I see. This explains it. Thank you.

    – Tony Friz
    Feb 15 at 16:48










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500678%2fmessage-anthony-user-root-does-this-mean-that-the-root-user-is-the-actua%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














The syntax matches log messages generated by sudo, but if you are viewing it from systemd's journal files, then it might not have the normal syslog-style <timestamp> <hostname> <program name>: prefix.



The journal files are in a binary format, so they're best viewed using the journalctl command or some other systemd-specific viewer. If you just look for text among the binary data, you'll miss the timestamps and other important metadata.



Assuming this is in fact generated by sudo, it would mean that user anthony had a session running on a pseudo-TTY pts/10 (= might be a terminal window in a local GUI session, or e.g. a remote SSH session), cd'd to the root directory, and ran a command sudo find / -name *systemctI*.



last anthony | grep pts/10 might give you more information on whether the session was a local terminal window or a remote session, and when the session might have happened. If the 3rd field of the last output says :0, then that is a local X11 GUI session; otherwise it should have the source IP address of the remote session.






share|improve this answer























  • Ah I see. This explains it. Thank you.

    – Tony Friz
    Feb 15 at 16:48















1














The syntax matches log messages generated by sudo, but if you are viewing it from systemd's journal files, then it might not have the normal syslog-style <timestamp> <hostname> <program name>: prefix.



The journal files are in a binary format, so they're best viewed using the journalctl command or some other systemd-specific viewer. If you just look for text among the binary data, you'll miss the timestamps and other important metadata.



Assuming this is in fact generated by sudo, it would mean that user anthony had a session running on a pseudo-TTY pts/10 (= might be a terminal window in a local GUI session, or e.g. a remote SSH session), cd'd to the root directory, and ran a command sudo find / -name *systemctI*.



last anthony | grep pts/10 might give you more information on whether the session was a local terminal window or a remote session, and when the session might have happened. If the 3rd field of the last output says :0, then that is a local X11 GUI session; otherwise it should have the source IP address of the remote session.






share|improve this answer























  • Ah I see. This explains it. Thank you.

    – Tony Friz
    Feb 15 at 16:48













1












1








1







The syntax matches log messages generated by sudo, but if you are viewing it from systemd's journal files, then it might not have the normal syslog-style <timestamp> <hostname> <program name>: prefix.



The journal files are in a binary format, so they're best viewed using the journalctl command or some other systemd-specific viewer. If you just look for text among the binary data, you'll miss the timestamps and other important metadata.



Assuming this is in fact generated by sudo, it would mean that user anthony had a session running on a pseudo-TTY pts/10 (= might be a terminal window in a local GUI session, or e.g. a remote SSH session), cd'd to the root directory, and ran a command sudo find / -name *systemctI*.



last anthony | grep pts/10 might give you more information on whether the session was a local terminal window or a remote session, and when the session might have happened. If the 3rd field of the last output says :0, then that is a local X11 GUI session; otherwise it should have the source IP address of the remote session.






share|improve this answer













The syntax matches log messages generated by sudo, but if you are viewing it from systemd's journal files, then it might not have the normal syslog-style <timestamp> <hostname> <program name>: prefix.



The journal files are in a binary format, so they're best viewed using the journalctl command or some other systemd-specific viewer. If you just look for text among the binary data, you'll miss the timestamps and other important metadata.



Assuming this is in fact generated by sudo, it would mean that user anthony had a session running on a pseudo-TTY pts/10 (= might be a terminal window in a local GUI session, or e.g. a remote SSH session), cd'd to the root directory, and ran a command sudo find / -name *systemctI*.



last anthony | grep pts/10 might give you more information on whether the session was a local terminal window or a remote session, and when the session might have happened. If the 3rd field of the last output says :0, then that is a local X11 GUI session; otherwise it should have the source IP address of the remote session.







share|improve this answer












share|improve this answer



share|improve this answer










answered Feb 15 at 0:49









telcoMtelcoM

18.9k12347




18.9k12347












  • Ah I see. This explains it. Thank you.

    – Tony Friz
    Feb 15 at 16:48

















  • Ah I see. This explains it. Thank you.

    – Tony Friz
    Feb 15 at 16:48
















Ah I see. This explains it. Thank you.

– Tony Friz
Feb 15 at 16:48





Ah I see. This explains it. Thank you.

– Tony Friz
Feb 15 at 16:48

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500678%2fmessage-anthony-user-root-does-this-mean-that-the-root-user-is-the-actua%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?