Extend Wazuh Dashboard with Systemd-Journald Log Viewing Capability

[JcabreraC]

Description

To complement the recently introduced journald log collection feature in Wazuh, this issue proposes adding a dedicated systemd-journald events tab to the Wazuh Dashboard's "Log Collection" section. This new tab will enable users to visualize journald configuration from their agent.

Background

Wazuh now supports the collection of systemd-journald logs, providing detailed insights into system and service behaviors. To fully leverage this feature, it's crucial to present journald log configutation in the Wazuh Dashboard in an intuitive and accessible manner, akin to how Windows, macOS, and other log types are currently displayed.

Configuration and API Response Examples

Example Configurations and Corresponding API Outputs:

1. Basic journald Log Collection:

   Configuration:

   <localfile>
     <log_format>journald</log_format>
     <location>journald</location>
   </localfile>

   API Output:

   {
       "localfile": [
           {
               "logformat": "journald",
               "only-future-events": "yes",
               "target": ["agent"]
           }
       ]
   }

2. journald Log Collection with Filters:

   Configuration:

   <localfile>
     <location>journald</location>
     <log_format>journald</log_format>
     <filter field="_KERNEL_DEVICE">.</filter>
   </localfile>

   API Output:

   {
       "localfile": [
           {
               "logformat": "journald",
               "only-future-events": "yes",
               "target": ["agent"],
               "filters": [
                   {
                       "field": "_KERNEL_DEVICE",
                       "expression": ".",
                       "ignore_if_missing": false
                   }
               ],
               "filters_disabled": false
           }
       ]
   }

3. Complex journald Configuration with Multiple Filters:

   Configuration:

   <localfile>
     <log_format>journald</log_format>
     <location>journald</location>
   </localfile>
   <!-- Additional configurations omitted for brevity -->

   API Output:

   {
       "logformat": "journald",
       "only-future-events": "no",
       "target": ["agent"],
       "filters": [
           [
               {
                   "field": "_KERNEL_DEVICE",
                   "expression": ".",
                   "ignore_if_missing": false
               }
           ],
           [
               {
                   "field": "_SYSTEMD_UNIT",
                   "expression": "^cron.service$",
                   "ignore_if_missing": false
               },
               {
                   "field": "CUSTOM",
                   "expression": "0|1|2",
                   "ignore_if_missing": true
               }
           ]
       ],
       "filters_disabled": false
   }

Requirements

• Implement a systemd-journald events tab in the Wazuh Dashboard's "Log Collection" section.
• The interface should dynamically display journald log configurations and filters based on the API's response, as illustrated in the examples above.
• Ensure the UI provides an intuitive and informative experience, allowing users to easily interpret the journald log configuration.

Tasks

• Design and implement the UI for displaying journald logs, with attention to displaying detailed filter configurations.
• Develop the necessary backend and frontend integrations to fetch and present journald log data configuration.
• Validate the implementation with different journald log configurations to ensure accuracy and usability.

Additional Considerations

• Given the potential complexity and variety of journald log configurations, the design should prioritize clarity and ease of navigation.

This feature is a critical step towards leveraging the full capabilities of journald log collection within the Wazuh ecosystem, offering users a comprehensive toolset for system monitoring and analysis.

[JuanGarriuz]

Update 11/04

Journald tab is running correctly, but the response structure difficult the render a table with agent-linked values.

Evidence

To Do

• Investigate if there is a better form to render the filter table
• Improve Filters visualization
• Update Changelog

[JuanGarriuz]

Update 15/04

The array structure represents a logic structure, meaning that we should represent the filters in a logic expression. Array's array represents an OR structure, and objects on arrays represent an AND structure. Then we should change the filter representation.

• Change the filters table structure to a logic expression structure.

[JuanGarriuz]

Update 16/04

After a meeting, it has been decided to revert to the table structure, representing filter groups as OR units and separated from other filter units by an AND, displayed in the table with an element that will appear on the left as 'Filters Group'.

[JuanGarriuz]

Update 18/04

Different formats to render the dashboard.

Table

Tree View