idaholab#309, rsyslog no longer in bookworm

docs/malcolm-hedgehog-e2e-iso-install.md

@@ -572,9 +572,9 @@ Despite configuring capture and/or forwarder services as described in previous s
 * **AUTOSTART_FILEBEAT** - [filebeat](#Hedgehogfilebeat) Zeek and Suricata log forwarder 
 * **AUTOSTART_FLUENTBIT_AIDE** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/exec) [AIDE](https://aide.github.io/) file system integrity checks
 * **AUTOSTART_FLUENTBIT_AUDITLOG** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/tail) [auditd](https://man7.org/linux/man-pages/man8/auditd.8.html) logs
-* *AUTOSTART_FLUENTBIT_KMSG* - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/kernel-logs) the Linux kernel log buffer (these are generally reflected in syslog as well, which may make this agent redundant)
+* *AUTOSTART_FLUENTBIT_KMSG* - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/kernel-logs) the Linux kernel log buffer (these are generally reflected in the Systemd log as well, which may make this agent redundant)
 * **AUTOSTART_FLUENTBIT_METRICS** - [Fluent Bit](https://fluentbit.io/) agent for collecting [various](https://docs.fluentbit.io/manual/pipeline/inputs) system resource and performance metrics
-* **AUTOSTART_FLUENTBIT_SYSLOG** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/syslog) Linux syslog messages
+* **AUTOSTART_FLUENTBIT_SYSTEMD** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/systemd) log messages from the Linux Journald daemon
 * **AUTOSTART_FLUENTBIT_THERMAL** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/thermal) system temperatures (only applicable on actual hardware, not if Hedgehog is running on a virtual machine)
 * **AUTOSTART_MISCBEAT** - [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) forwarder which sends system metrics collected by [Fluent Bit](https://fluentbit.io/) to a remote Logstash instance (e.g., [Malcolm]({{ site.github.repository_url }})'s)
 * *AUTOSTART_NETSNIFF* - [netsniff-ng](http://netsniff-ng.org/) PCAP engine for saving packet capture (PCAP) files
@@ -617,7 +617,7 @@ fluentbit-metrics:disk           RUNNING   pid 6468, uptime 0:03:17
 fluentbit-metrics:mem            RUNNING   pid 6472, uptime 0:03:17
 fluentbit-metrics:mem_p          RUNNING   pid 6473, uptime 0:03:17
 fluentbit-metrics:netif          RUNNING   pid 6474, uptime 0:03:17
-fluentbit-syslog                 RUNNING   pid 6478, uptime 0:03:17
+fluentbit-systemd                RUNNING   pid 6478, uptime 0:03:17
 fluentbit-thermal                RUNNING   pid 6480, uptime 0:03:17
 netsniff:netsniff-enp1s0         STOPPED   Not started
 prune:prune-pcap                 RUNNING   pid 6484, uptime 0:03:17

logstash/pipelines/beats/11_beats_logs.conf

@@ -545,6 +545,11 @@ filter {
 
     } # if ([miscbeat][syslog])
 
+    # if ([miscbeat][systemd]) {
+    #   #-------------------------------------------------
+    #   # systemd - https://docs.fluentbit.io/manual/pipeline/inputs/systemd
+    # } # if ([miscbeat][systemd])
+
     if ([miscbeat][thermal]) {
     #-------------------------------------------------
     # thermal - https://docs.fluentbit.io/manual/pipeline/inputs/thermal

malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot

@@ -121,14 +121,6 @@ echo "umask 077" >> /etc/profile
 echo "export UMASK=077" >> /etc/profile
 echo "export PYTHONDONTWRITEBYTECODE=1" >> /etc/profile
 
-# enable cron logging
-sed -r -i "s@^#(cron\.\*\s+.*/var/log/cron\.log)@\1@" /etc/rsyslog.conf
-
-# enable rsyslog forwarding to localhost:9514 over UDP (for filebeat syslog input)
-echo >> /etc/rsyslog.conf
-echo '*.* @127.0.0.1:9514' >> /etc/rsyslog.conf
-echo >> /etc/rsyslog.conf
-
 # put sudoers log into its own logfile
 awk 'FNR==NR{ if (/^Defaults/) p=NR; next} 1; FNR==p{ print "Defaults\t!syslog\nDefaults\tlogfile=/var/log/sudo.log" }' /etc/sudoers /etc/sudoers > /tmp/newsudoers
 mv /tmp/newsudoers /etc/sudoers && chmod 440 /etc/sudoers

sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot

@@ -96,14 +96,6 @@ echo "umask 077" >> /etc/profile
 echo "export UMASK=077" >> /etc/profile
 echo "export PYTHONDONTWRITEBYTECODE=1" >> /etc/profile
 
-# enable cron logging
-sed -r -i "s@^#(cron\.\*\s+.*/var/log/cron\.log)@\1@" /etc/rsyslog.conf
-
-# enable rsyslog forwarding to localhost:9514 over UDP (for filebeat syslog input)
-echo >> /etc/rsyslog.conf
-echo '*.* @127.0.0.1:9514' >> /etc/rsyslog.conf
-echo >> /etc/rsyslog.conf
-
 # put sudoers log into its own logfile
 awk 'FNR==NR{ if (/^Defaults/) p=NR; next} 1; FNR==p{ print "Defaults\t!syslog\nDefaults\tlogfile=/var/log/sudo.log" }' /etc/sudoers /etc/sudoers > /tmp/newsudoers
 mv /tmp/newsudoers /etc/sudoers && chmod 440 /etc/sudoers

sensor-iso/interface/sensor_ctl/control_vars.conf

@@ -140,7 +140,7 @@ export AUTOSTART_FLUENTBIT_AIDE=false
 export AUTOSTART_FLUENTBIT_AUDITLOG=false
 export AUTOSTART_FLUENTBIT_KMSG=false
 export AUTOSTART_FLUENTBIT_METRICS=false
-export AUTOSTART_FLUENTBIT_SYSLOG=false
+export AUTOSTART_FLUENTBIT_SYSTEMD=false
 export AUTOSTART_FLUENTBIT_THERMAL=false
 export AUTOSTART_MISCBEAT=false
 export AUTOSTART_NETSNIFF=false

sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-systemd.conf

@@ -0,0 +1,18 @@
+[program:fluentbit-systemd]
+command=/opt/fluent-bit/bin/fluent-bit
+  -R /etc/fluent-bit/parsers.conf
+  -i systemd
+  -p Read_From_Tail=On
+  -p Lowercase=On
+  -p Strip_Underscores=On
+  -o tcp://localhost:%(ENV_MISCBEAT_PORT)s
+  -p format=json_lines
+  -F nest -p Operation=nest -p Nested_under=systemd -p WildCard='*' -m '*'
+  -F record_modifier -p "Record=module systemd" -m '*'
+  -f 1
+startsecs=20
+startretries=3
+stopasgroup=true
+killasgroup=true
+autostart=%(ENV_AUTOSTART_FLUENTBIT_SYSTEMD)s
+autorestart=%(ENV_AUTOSTART_FLUENTBIT_SYSTEMD)s