MESSAGE=anthony … USER=root <— Does this mean that the root user is the actual user but “anthony” will be displayed as being the user anyway?
Clash Royale CLAN TAG#URR8PPP
I found this in /run/log/journal/...
MESSAGE=anthony : TTY=pts/10 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/find / -name *systemctI*
I'm wondering what this means? I'm suspicious of this process "systemctI
" since it's one letter off from systemctl
. And I was doing some digging and found the above in a log file.
What does it mean? I have a feeling it means the process is using the root user but is pretending to use "anthony." Is this correct?
ubuntu security logs users
add a comment |
I found this in /run/log/journal/...
MESSAGE=anthony : TTY=pts/10 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/find / -name *systemctI*
I'm wondering what this means? I'm suspicious of this process "systemctI
" since it's one letter off from systemctl
. And I was doing some digging and found the above in a log file.
What does it mean? I have a feeling it means the process is using the root user but is pretending to use "anthony." Is this correct?
ubuntu security logs users
The real systemctl ends with an L, but the one in my logs ends with an capital i.
– Tony Friz
Feb 14 at 19:37
add a comment |
I found this in /run/log/journal/...
MESSAGE=anthony : TTY=pts/10 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/find / -name *systemctI*
I'm wondering what this means? I'm suspicious of this process "systemctI
" since it's one letter off from systemctl
. And I was doing some digging and found the above in a log file.
What does it mean? I have a feeling it means the process is using the root user but is pretending to use "anthony." Is this correct?
ubuntu security logs users
I found this in /run/log/journal/...
MESSAGE=anthony : TTY=pts/10 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/find / -name *systemctI*
I'm wondering what this means? I'm suspicious of this process "systemctI
" since it's one letter off from systemctl
. And I was doing some digging and found the above in a log file.
What does it mean? I have a feeling it means the process is using the root user but is pretending to use "anthony." Is this correct?
ubuntu security logs users
ubuntu security logs users
edited Feb 14 at 19:39
Kusalananda
135k17255418
135k17255418
asked Feb 14 at 18:28
Tony FrizTony Friz
1085
1085
The real systemctl ends with an L, but the one in my logs ends with an capital i.
– Tony Friz
Feb 14 at 19:37
add a comment |
The real systemctl ends with an L, but the one in my logs ends with an capital i.
– Tony Friz
Feb 14 at 19:37
The real systemctl ends with an L, but the one in my logs ends with an capital i.
– Tony Friz
Feb 14 at 19:37
The real systemctl ends with an L, but the one in my logs ends with an capital i.
– Tony Friz
Feb 14 at 19:37
add a comment |
1 Answer
1
active
oldest
votes
The syntax matches log messages generated by sudo
, but if you are viewing it from systemd
's journal files, then it might not have the normal syslog-style <timestamp> <hostname> <program name>:
prefix.
The journal files are in a binary format, so they're best viewed using the journalctl
command or some other systemd
-specific viewer. If you just look for text among the binary data, you'll miss the timestamps and other important metadata.
Assuming this is in fact generated by sudo
, it would mean that user anthony
had a session running on a pseudo-TTY pts/10
(= might be a terminal window in a local GUI session, or e.g. a remote SSH session), cd
'd to the root directory, and ran a command sudo find / -name *systemctI*
.
last anthony | grep pts/10
might give you more information on whether the session was a local terminal window or a remote session, and when the session might have happened. If the 3rd field of the last
output says :0
, then that is a local X11 GUI session; otherwise it should have the source IP address of the remote session.
Ah I see. This explains it. Thank you.
– Tony Friz
Feb 15 at 16:48
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500678%2fmessage-anthony-user-root-does-this-mean-that-the-root-user-is-the-actua%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The syntax matches log messages generated by sudo
, but if you are viewing it from systemd
's journal files, then it might not have the normal syslog-style <timestamp> <hostname> <program name>:
prefix.
The journal files are in a binary format, so they're best viewed using the journalctl
command or some other systemd
-specific viewer. If you just look for text among the binary data, you'll miss the timestamps and other important metadata.
Assuming this is in fact generated by sudo
, it would mean that user anthony
had a session running on a pseudo-TTY pts/10
(= might be a terminal window in a local GUI session, or e.g. a remote SSH session), cd
'd to the root directory, and ran a command sudo find / -name *systemctI*
.
last anthony | grep pts/10
might give you more information on whether the session was a local terminal window or a remote session, and when the session might have happened. If the 3rd field of the last
output says :0
, then that is a local X11 GUI session; otherwise it should have the source IP address of the remote session.
Ah I see. This explains it. Thank you.
– Tony Friz
Feb 15 at 16:48
add a comment |
The syntax matches log messages generated by sudo
, but if you are viewing it from systemd
's journal files, then it might not have the normal syslog-style <timestamp> <hostname> <program name>:
prefix.
The journal files are in a binary format, so they're best viewed using the journalctl
command or some other systemd
-specific viewer. If you just look for text among the binary data, you'll miss the timestamps and other important metadata.
Assuming this is in fact generated by sudo
, it would mean that user anthony
had a session running on a pseudo-TTY pts/10
(= might be a terminal window in a local GUI session, or e.g. a remote SSH session), cd
'd to the root directory, and ran a command sudo find / -name *systemctI*
.
last anthony | grep pts/10
might give you more information on whether the session was a local terminal window or a remote session, and when the session might have happened. If the 3rd field of the last
output says :0
, then that is a local X11 GUI session; otherwise it should have the source IP address of the remote session.
Ah I see. This explains it. Thank you.
– Tony Friz
Feb 15 at 16:48
add a comment |
The syntax matches log messages generated by sudo
, but if you are viewing it from systemd
's journal files, then it might not have the normal syslog-style <timestamp> <hostname> <program name>:
prefix.
The journal files are in a binary format, so they're best viewed using the journalctl
command or some other systemd
-specific viewer. If you just look for text among the binary data, you'll miss the timestamps and other important metadata.
Assuming this is in fact generated by sudo
, it would mean that user anthony
had a session running on a pseudo-TTY pts/10
(= might be a terminal window in a local GUI session, or e.g. a remote SSH session), cd
'd to the root directory, and ran a command sudo find / -name *systemctI*
.
last anthony | grep pts/10
might give you more information on whether the session was a local terminal window or a remote session, and when the session might have happened. If the 3rd field of the last
output says :0
, then that is a local X11 GUI session; otherwise it should have the source IP address of the remote session.
The syntax matches log messages generated by sudo
, but if you are viewing it from systemd
's journal files, then it might not have the normal syslog-style <timestamp> <hostname> <program name>:
prefix.
The journal files are in a binary format, so they're best viewed using the journalctl
command or some other systemd
-specific viewer. If you just look for text among the binary data, you'll miss the timestamps and other important metadata.
Assuming this is in fact generated by sudo
, it would mean that user anthony
had a session running on a pseudo-TTY pts/10
(= might be a terminal window in a local GUI session, or e.g. a remote SSH session), cd
'd to the root directory, and ran a command sudo find / -name *systemctI*
.
last anthony | grep pts/10
might give you more information on whether the session was a local terminal window or a remote session, and when the session might have happened. If the 3rd field of the last
output says :0
, then that is a local X11 GUI session; otherwise it should have the source IP address of the remote session.
answered Feb 15 at 0:49
telcoMtelcoM
18.9k12347
18.9k12347
Ah I see. This explains it. Thank you.
– Tony Friz
Feb 15 at 16:48
add a comment |
Ah I see. This explains it. Thank you.
– Tony Friz
Feb 15 at 16:48
Ah I see. This explains it. Thank you.
– Tony Friz
Feb 15 at 16:48
Ah I see. This explains it. Thank you.
– Tony Friz
Feb 15 at 16:48
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500678%2fmessage-anthony-user-root-does-this-mean-that-the-root-user-is-the-actua%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The real systemctl ends with an L, but the one in my logs ends with an capital i.
– Tony Friz
Feb 14 at 19:37