Logcollector support for journald logs

Description

systemd has a component called journald that handles logging for the services. It makes it easier for the services to record information about their status and actions. This information can be very valuable for the Wazuh users, so we need to develop a way to enable Logcollector to monitor these logs.

Related issues

This task is similar to the support for macOS logs through the integration with the Unified Logging System:

• Log Analysis cannot parse OSX logs #4572

Functional requirements

1. The user will have a new option available in Logcollector to gather journald logs.
   • Local configuration: agent's etc/ossec.conf.
   • Shared configuration: manager's etc/shared/*/agent.conf.
   • Shared configuration: user interface.
2. The user can define multiple <localfile> blocks for journald, all of which are valid.
3. Agents will include a basic journald configuration by default, on new installations, if the platform has journald.
4. Users will be provided with a predefined ruleset used to analyze journald events.
5. Users may extend such ruleset according to their needs.
6. The user will be able to find the alerts derived from the captured logs in the Wazuh Dashboard.

New options

<localfile>
  <log_format>journald</log_format>
  <journald>
    <priority>
    <transport>
    <syslog_identifier>
    <syslog_facility>

Compatible options

<localfile>
  <ignore>
  <restrict>
  <only-future-events>

Non-functional requirements

1. Logcollector should check for new events in the journald API every logcollector.loop_timeout seconds.
2. If logcollector.max_lines is greater than 0, then a maximum of events corresponding to the option value will be read in each read phase.
3. If <only-future-events> is set to no, the agent shall position the read cursor over the event after the last one sent after a restart.
4. If either <only-future-events> is set to yes, or the agent has started for the first time, the agent should position the read cursor at the end of the log.
5. Options <ignore> and <restrict> shall execute the search on the content to be sent (full log).
6. The documentation shall include a new capabilities section explaining how to gather journald logs.

Implementation restrictions

1. The content that the agent sends (full_log) must correspond to the output of journalctl.
2. This feature should be implemented via the journald API. Avoid calling journalctl whenever possible.
3. This feature will only be available on Linux, and depends on the distro being based on systemd.
4. Regarding functional requirement no. 2, there is no way to override or cancel a journald <localfile> block.

Plan

• Stage 1: Make a PoC to pick up logs from journald.
• Stage 2: Implement the necessary changes to the agent.
  • Implement Library for journald Logs Integration into Logcollector #22322
  • Support of multiple journald blocks in the configuration. #22411
  • Develop Unit Tests for journald Log Collection Feature #22606
• Stage 3: Extend the Logcollector QA tests to check this feature.
  • Create Integration Tests for journald Log Collection Integration #22654
  • Implement Required Modifications to the Wazuh QA Framework for journald Log Collection Integration Tests qa-integration-framework#130
• Stage 4: Extend the reference documentation with the new options and values.
• Stage 5: Validate Compatibility of Journald Log Collection with Existing Ruleset.
• Stage 6: Verify that the new configuration can be pushed from the UI. A priori, no changes are required in the Dashboard.
• Stage 7: Extend the capabilities section of the documentation to explain how to gather journald logs.
• Stage 8: Enable Framework to Parse and send journald Configuration as JSON.

Requirements Traceability Matrix (RTM)

Reference

• sd-journal (www.freedesktop.org)
• systemd.journal-fields (www.freedesktop.org)

Approved by

• @vikman90