I want to monitor SSH sessions, including login and logout events. When I run journalctl without any flags, I see both login events like:
Accepted publickey for root from 192.168.1.24 port 56464
and logout events like:
Disconnected from user root 192.168.1.24 port 56464
But when I want to reduce the output and filter only the sshd events I run journalctl -u sshd. In this case I see only the Accepted publickey events, but not the Disconnected from user events.
TL;DR: Instead of journalctl -u sshd you should use journalctl -t sshd.
To figure out that, I ran journalctl -o json-pretty and analyzed login and logout events. The login events have "_SYSTEMD_UNIT" : "sshd.service" in their JSON output, so they show up when you specify the unit with -u sshd. But the logout events have "_SYSTEMD_UNIT" : "session-27.scope", and that's why they are not shown for -u sshd. Of course, the session number is different for each SSH session.
What is common for both logout and login events is "SYSLOG_IDENTIFIER" : "sshd" which means we have to use the -t flag (or long-form --identifier) to specify the identifier.
This is on Fedora and RHEL. I haven't tested it on Debian/Ubuntu yet. Please comment if it's different there.
I hope this will help somebody.