journald parsing

[Mar Ben]

Hello

I've been trying to configure journald parsing in order to get alerts from that, but found no info googling, and no idea how to get this done.

Please anyone can give me some clue or info how to do it?  

Thanks in advance!!

Marcelo.

[francisco...@wazuh.com]

Hi Marcelo!

Let's try to shed light on this issue.

As you know, Journald collects logs from many different places, providing with journalctl a way to query and display these logs in an easier way. A quick guide on how to use journalctl can be found in many places across the web, like, for example https://www.loggly.com/ultimate-guide/using-journalctl/

A good amount of the logs that can be found on journalctl are directly decoded by wazuh (because they are also collected by syslog). On the different ones, there are many ways to do it.

Luckily, journald logs can be exported in .json format, which provides us a nice way tackle the problem. You can export, for example, the logs of the last hour, in .json format with the following command:

journalctl -o json --since "1 hour ago" > testlog

This will save those logs on the file testlog.

Now, you can add these lines at /var/ossec/etc/ossec.conf:

<localfile>
  <location>/home/user/testlog</location>
  <log_format>json</log_format>
  <frequency>3600</frequency>
  <label key="@source">journald</label>
</localfile>

This will collect the logs we just exported in our new file every 3600 seconds (one hour). This frequency is fully arbitrary. In addition, it will add a label to the .json logs, for a better detection.

Now we can create some custom rules for the .json format logs collected by the localfile and storing it in /var/ossec/etc/rules/local_rules.xml, like, for example:

  <rule id="150000" level="5">
    <decoded_as>json</decoded_as>
    <field name="@source">journald</field>
	<field name="_UID">0</field>
    <description>Action performed by user with UID=0 (root account).</description>
    <group>custom_rules</group>
  </rule>

This will create an alert for every action performed by the root account.

Now you'll have to set the frequency you want to collect those journald logs. Imagine you want to collect it every hour, so a cronjob for dumping the logs in the same file every hour would do the trick. Or you can also use a command within the localfile configuration, as shown here: 

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html?highlight=command#command

Please note that this is only one of the different ways to get alerts from journald, but can be a good choice due to the scalability provided by the .json format usage.

I hope it helps, and please don't hesitate to ask any further question you may have!

Regards,

Fran G.