Skip to content

Commit

Permalink
Implement journald log collection feature (#6572)
Browse files Browse the repository at this point in the history 
* Added tab

* Add journald tab

* Added changes to imposter

* journald values filters table

* Update changelog and redesign filters table

* Fixed styles

* Fixed hardcode bug

* Added filters groups

* Change to an accordion render

* Added helps-link

* Added changelog

* Fix changelog and message popover improve

* Update configuration-setting imports

* Fix macOS log title

* resolve comments

* Fixed info euitext render and header no render in journald tab

* Add verification to mac and journald agents and add condition to journald

---------

Co-authored-by: Federico Rodriguez <federico.rodriguez@wazuh.com>
  • Loading branch information
@JuanGarriuz @asteriscos @Machi3mfl
2 people authored and Machi3mfl committed Apr 25, 2024
1 parent 2b19e1d commit 7c5271b
Show file tree
Hide file tree
Showing 10 changed files with 345 additions and 136 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ All notable changes to the Wazuh app project will be documented in this file.
- Added propagation of updates from the table to dashboard visualizations in Endpoints summary [#6460](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6460)
- Handle index pattern selector on new discover [#6499](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6499)
- Added macOS log collector tab [#6545](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6545)
- Added journald log collector tab [#6572](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6572)

### Changed

Expand Down
132 changes: 69 additions & 63 deletions docker/imposter/agents/configuration/logcollector-localfile.json
View file
Original file line number Diff line number Diff line change
@@ -1,132 +1,150 @@
{
"data": {
"localfile": [
{
"logformat": "journald",
"ignore_binaries": "no",
"only-future-events": "no",
"target": ["agent1"],
"filters": [
[
{
"field": "_KERNEL_DEVICE",
"expression": ".kernel1",
"ignore_if_missing": false
}
],
[
{
"field": "_SYSTEMD_UNIT",
"expression": "^cron.service$",
"ignore_if_missing": false
},
{
"field": "CUSTOM",
"expression": "0|1|2",
"ignore_if_missing": true
}
]
],
"filters_disabled": false
},
{
"logformat": "journald",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": ["agent2"]
},
{
"logformat": "journald",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": ["agent3"],
"filters": [
{
"field": "_KERNEL_DEVICE",
"expression": ".",
"ignore_if_missing": false
}
],
"filters_disabled": false
},
{
"logformat": "macos",
"query": {
"value": "(process == \"sudo\") or (process == \"sessionlogoutd\" and message contains \"logout is complete.\") or (process == \"sshd\") or (process == \"tccd\" and message contains \"Update Access Record\") or (message contains \"SessionAgentNotificationCenter\") or (process == \"screensharingd\" and message contains \"Authentication\") or (process == \"securityd\" and eventMessage contains \"Session\" and subsystem == \"com.apple.securityd\")",
"level": "info",
"type": [
"log",
"activity",
"trace"
]
"type": ["log", "activity", "trace"]
},
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
"target": ["agent"]
},
{
"logformat": "command",
"command": "df -P",
"alias": "df -P",
"ignore_binaries": "no",
"target": [
"agent"
],
"target": ["agent"],
"frequency": 360
},
{
"logformat": "full_command",
"command": "netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d",
"alias": "netstat listening ports",
"ignore_binaries": "no",
"target": [
"agent"
],
"target": ["agent"],
"frequency": 360
},
{
"logformat": "full_command",
"command": "last -n 20",
"alias": "last -n 20",
"ignore_binaries": "no",
"target": [
"agent"
],
"target": ["agent"],
"frequency": 360
},
{
"file": "/var/log/test.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
"target": ["agent"]
},
{
"file": "/var/log/nginx/access.log",
"logformat": "apache",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
"target": ["agent"]
},
{
"file": "/var/log/nginx/error.log",
"logformat": "apache",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
"target": ["agent"]
},
{
"file": "/var/ossec/logs/active-responses.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
"target": ["agent"]
},
{
"file": "/var/log/auth.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
"target": ["agent"]
},
{
"file": "/var/log/syslog",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
"target": ["agent"]
},
{
"file": "/var/log/dpkg.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
"target": ["agent"]
},
{
"file": "/var/log/kern.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
"target": ["agent"]
},
{
"channel": "Application",
"logformat": "eventlog",
"ignore_binaries": "no",
"target": [
"agent"
]
"target": ["agent"]
},
{
"channel": "Security",
Expand All @@ -136,58 +154,46 @@
},
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
],
"target": ["agent"],
"reconnect_time": 5
},
{
"channel": "System",
"logformat": "eventlog",
"ignore_binaries": "no",
"target": [
"agent"
]
"target": ["agent"]
},
{
"file": "active-response\\active-responses.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
"target": ["agent"]
},
{
"channel": "Microsoft-Windows-Sysmon/Operational",
"logformat": "eventchannel",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
],
"target": ["agent"],
"reconnect_time": 5
},
{
"channel": "Microsoft-Windows-Windows Defender/Operational",
"logformat": "eventchannel",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
],
"target": ["agent"],
"reconnect_time": 5
},
{
"file": "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex240321.log",
"logformat": "iis",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
"target": ["agent"]
}
]
},
"error": 0
}
}
Loading

0 comments on commit 7c5271b

Please sign in to comment.