How to view audit logs in systemd journal

by Rudd-O last modified 2020-05-06T09:11:45+00:00
Note to self: hard trick to solve.

Sometimes you want to check the journal for audit events (e.g. you're diagnosing a SELinux issue).  This is the magic trick:

journalctl <options> _TRANSPORT=audit

The _TRANSPORT query limits the journal output to only audit log entries.