Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend Wazuh Dashboard with Systemd-Journald Log Viewing Capability #6564

Closed
3 tasks
JcabreraC opened this issue Apr 1, 2024 · 4 comments · Fixed by #6572
Closed
3 tasks

Extend Wazuh Dashboard with Systemd-Journald Log Viewing Capability #6564

JcabreraC opened this issue Apr 1, 2024 · 4 comments · Fixed by #6572
Assignees
@JuanGarriuz
Labels
level/task Task issue type/enhancement Enhancement issue

Comments

@JcabreraC
Copy link
Member

JcabreraC commented Apr 1, 2024
edited
Loading

Description

To complement the recently introduced journald log collection feature in Wazuh, this issue proposes adding a dedicated systemd-journald events tab to the Wazuh Dashboard's "Log Collection" section. This new tab will enable users to visualize journald configuration from their agent.

Background

Wazuh now supports the collection of systemd-journald logs, providing detailed insights into system and service behaviors. To fully leverage this feature, it's crucial to present journald log configutation in the Wazuh Dashboard in an intuitive and accessible manner, akin to how Windows, macOS, and other log types are currently displayed.

Configuration and API Response Examples

Example Configurations and Corresponding API Outputs:

  1. Basic journald Log Collection:

    Configuration:

    <localfile>
  <log_format>journald</log_format>
  <location>journald</location>
</localfile>

    API Output:

    {
    "localfile": [
        {
            "logformat": "journald",
            "only-future-events": "yes",
            "target": ["agent"]
        }
    ]
}

  2. journald Log Collection with Filters:

    Configuration:

    <localfile>
  <location>journald</location>
  <log_format>journald</log_format>
  <filter field="_KERNEL_DEVICE">.</filter>
</localfile>

    API Output:

    {
    "localfile": [
        {
            "logformat": "journald",
            "only-future-events": "yes",
            "target": ["agent"],
            "filters": [
                {
                    "field": "_KERNEL_DEVICE",
                    "expression": ".",
                    "ignore_if_missing": false
                }
            ],
            "filters_disabled": false
        }
    ]
}

  3. Complex journald Configuration with Multiple Filters:

    Configuration:

    <localfile>
  <log_format>journald</log_format>
  <location>journald</location>
</localfile>
<!-- Additional configurations omitted for brevity -->

    API Output:

    {
    "logformat": "journald",
    "only-future-events": "no",
    "target": ["agent"],
    "filters": [
        [
            {
                "field": "_KERNEL_DEVICE",
                "expression": ".",
                "ignore_if_missing": false
            }
        ],
        [
            {
                "field": "_SYSTEMD_UNIT",
                "expression": "^cron.service$",
                "ignore_if_missing": false
            },
            {
                "field": "CUSTOM",
                "expression": "0|1|2",
                "ignore_if_missing": true
            }
        ]
    ],
    "filters_disabled": false
}

Requirements

  • Implement a systemd-journald events tab in the Wazuh Dashboard's "Log Collection" section.
  • The interface should dynamically display journald log configurations and filters based on the API's response, as illustrated in the examples above.
  • Ensure the UI provides an intuitive and informative experience, allowing users to easily interpret the journald log configuration.

Tasks

  • Design and implement the UI for displaying journald logs, with attention to displaying detailed filter configurations.
  • Develop the necessary backend and frontend integrations to fetch and present journald log data configuration.
  • Validate the implementation with different journald log configurations to ensure accuracy and usability.

Additional Considerations

  • Given the potential complexity and variety of journald log configurations, the design should prioritize clarity and ease of navigation.

This feature is a critical step towards leveraging the full capabilities of journald log collection within the Wazuh ecosystem, offering users a comprehensive toolset for system monitoring and analysis.
@wazuhci wazuhci moved this to Triage in Release 4.9.0 Apr 1, 2024
@asteriscos asteriscos added type/enhancement Enhancement issue level/task Task issue labels Apr 2, 2024
@wazuhci wazuhci moved this from Triage to Backlog in Release 4.9.0 Apr 2, 2024
@JcabreraC JcabreraC mentioned this issue Apr 4, 2024
Closed
12 tasks
@wazuhci wazuhci moved this from Backlog to In progress in Release 4.9.0 Apr 4, 2024
@JuanGarriuz JuanGarriuz mentioned this issue Apr 4, 2024
Merged
9 tasks
@JuanGarriuz JuanGarriuz linked a pull request Apr 8, 2024 that will close this issue
Implement journald log collection feature #6572
Merged
9 tasks
@JuanGarriuz
Copy link
Member

JuanGarriuz commented Apr 11, 2024
edited
Loading

Update 11/04

Journald tab is running correctly, but the response structure difficult the render a table with agent-linked values.

Evidence

image
image
image

To Do

  • Investigate if there is a better form to render the filter table
  • Improve Filters visualization
  • Update Changelog

@wazuhci wazuhci moved this from In progress to Pending review in Release 4.9.0 Apr 11, 2024
@wazuhci wazuhci moved this from Pending review to On hold in Release 4.9.0 Apr 12, 2024
@wazuhci wazuhci moved this from On hold to Pending review in Release 4.9.0 Apr 12, 2024
@wazuhci wazuhci moved this from Pending review to In progress in Release 4.9.0 Apr 12, 2024
@JuanGarriuz
Copy link
Member

JuanGarriuz commented Apr 15, 2024
edited
Loading

Update 15/04

The array structure represents a logic structure, meaning that we should represent the filters in a logic expression. Array's array represents an OR structure, and objects on arrays represent an AND structure. Then we should change the filter representation.

  • Change the filters table structure to a logic expression structure.

@wazuhci wazuhci moved this from In progress to Blocked in Release 4.9.0 Apr 15, 2024
@wazuhci wazuhci moved this from Blocked to In progress in Release 4.9.0 Apr 16, 2024
@JuanGarriuz
Copy link
Member

Update 16/04

After a meeting, it has been decided to revert to the table structure, representing filter groups as OR units and separated from other filter units by an AND, displayed in the table with an element that will appear on the left as 'Filters Group'.

@JuanGarriuz
Copy link
Member

JuanGarriuz commented Apr 18, 2024
edited
Loading

Update 18/04

Different formats to render the dashboard.

Table

image

Tree View

image

@wazuhci wazuhci moved this from In progress to Pending review in Release 4.9.0 Apr 18, 2024
@wazuhci wazuhci moved this from Pending review to Pending final review in Release 4.9.0 Apr 18, 2024
@Tostti Tostti closed this as completed Apr 24, 2024
@wazuhci wazuhci moved this from Pending final review to Done in Release 4.9.0 Apr 24, 2024
@JuanGarriuz JuanGarriuz mentioned this issue Jun 21, 2024
Closed
1 task
@asteriscos asteriscos mentioned this issue Jul 16, 2024
Closed
1 task
@Machi3mfl Machi3mfl mentioned this issue Jul 22, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JuanGarriuz JuanGarriuz

Labels
level/task Task issue type/enhancement Enhancement issue
Projects
No open projects
Release 4.9.0
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implement journald log collection feature wazuh/wazuh-dashboard-plugins
4 participants
@asteriscos @JcabreraC @Tostti @JuanGarriuz