Concretely, when a user plugs a Usb device, we get an alert. But is it possible to get the logins on the host that triggered the alert, back say 24 hours? The alert searches for 'usbguard' events in /var/log/secure
Look for lines like these in /var/log/auth.log
:
Aug 24 20:10:01 bolo CRON[46362]: pam_unix(cron:session): session closed for user root
Aug 24 20:12:00 bolo sshd[46950]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Across whatever timeframe is appropriate