How to view audit logs in systemd journal

published May 06, 2020

Note to self: hard trick to solve.

Sometimes you want to check the journal for audit events (e.g. you're diagnosing a SELinux issue).  This is the magic trick:

journalctl  _TRANSPORT=audit

The _TRANSPORT query limits the journal output to only audit log entries.