New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Journald support in Logcollector #12862
Comments
I did this for OSSEC a few years back - just haven't had the time/energy to port it over. I spoke with the devs in Slack about this and they said they were looking into doing the portage to Wazuh. If anyone else wants to rewrite a bunch of pointer syntax to convert the OSSEC modality to the way Wazuh modified the C code for the internal logreader pipeline, feel free to ping me for assistance. |
I'm using a custom-built wazuh container that runs as a DaemonSet on OKD worker nodes (Fedora CoreOS). Fedora uses a journald logging systems. I need wazuh to be able to parse journald logs (instead of log files) for this to work. Any idea on when this will enter the roadmap? Journald has been around for some time already (10 years?!). |
I just had a client today asking me if Wazuh could logcollect directly from journald and I pointed him here. If there there is more info available on this please do share. |
We agree to delay the task delivery to April 18th. |
Echoing interest. The Nix community is progressively porting the Wazuh suite to NixOS and Nixpkgs, but this means Wazuh LogCollector on NixOS will not work without Porting progress: NixOS/nixpkgs#230623 |
Logcollector support for journald logs
Description
systemd has a component called journald that handles logging for the services. It makes it easier for the services to record information about their status and actions. This information can be very valuable for the Wazuh users, so we need to develop a way to enable Logcollector to monitor these logs.
Related issues
This task is similar to the support for macOS logs through the integration with the Unified Logging System:
Functional requirements
<localfile>
blocks for journald, all of which are valid.New options
Compatible options
Non-functional requirements
logcollector.loop_timeout
seconds.logcollector.max_lines
is greater than 0, then a maximum of events corresponding to the option value will be read in each read phase.<only-future-events>
is set tono
, the agent shall position the read cursor over the event after the last one sent after a restart.<only-future-events>
is set toyes
, or the agent has started for the first time, the agent should position the read cursor at the end of the log.<ignore>
and<restrict>
shall execute the search on the content to be sent (full log).Implementation restrictions
journalctl
.journalctl
whenever possible.<localfile>
block.Plan
journald
Logs Integration into Logcollector #22322journald
Log Collection Feature #22606journald
Log Collection Integration #22654journald
Log Collection Integration Tests qa-integration-framework#130Requirements Traceability Matrix (RTM)
<ignore>
and<restrict>
.Reference
Approved by
The text was updated successfully, but these errors were encountered: