search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.33k stars 1.02k forks source link

Monitoring logs of journald not working #2122

Open bntuser opened 1 month ago

bntuser commented 1 month ago

I am triying to read the output of journalctl so i have added this lines in the ossec.conf file:

<localfile>
    <log_format>journald</log_format>
    <location>all</location>
  </localfile>

  <localfile>
    <log_format>journald</log_format>
    <location>su</location>
  </localfile>

  <localfile>
    <log_format>journald</log_format>
    <location>NetworkManager</location>
  </localfile>

(just copied the following commit): https://github.com/ossec/ossec-hids/pull/1852/commits/4d01278349b5fd42f8f5beb8355872352500a2d3

And what i get in ossec.log is: 2024/05/13 12:35:12 ossec-logcollector(1951): INFO: Analyzing journald log: 'all'. 2024/05/13 12:35:12 ossec-logcollector(1951): INFO: Analyzing journald log: 'su'. 2024/05/13 12:35:12 ossec-logcollector(1951): INFO: Analyzing journald log: 'NetworkManager'.

2024/05/13 12:37:22 ossec-logcollector(1904): INFO: File not available, ignoring it: 'all'. 2024/05/13 12:37:22 ossec-logcollector(1904): INFO: File not available, ignoring it: 'su'. 2024/05/13 12:37:22 ossec-logcollector(1904): INFO: File not available, ignoring it: 'NetworkManager'.

Doesn't the implementation allows ossec to read directly from the output of the journalctl or do i have to create a new file and add it to the location label.

Also i have the logall option set to yes in order to see if the logs of the journald are being monitored and none of the logs i find there are from the journald.

Any help?