I am triying to read the output of journalctl so i have added this lines in the ossec.conf file:
<localfile>
<log_format>journald</log_format>
<location>all</location>
</localfile>
<localfile>
<log_format>journald</log_format>
<location>su</location>
</localfile>
<localfile>
<log_format>journald</log_format>
<location>NetworkManager</location>
</localfile>
(just copied the following commit):
4d01278
And what i get in ossec.log is:
2024/05/13 12:35:12 ossec-logcollector(1951): INFO: Analyzing journald log: 'all'.
2024/05/13 12:35:12 ossec-logcollector(1951): INFO: Analyzing journald log: 'su'.
2024/05/13 12:35:12 ossec-logcollector(1951): INFO: Analyzing journald log: 'NetworkManager'.
2024/05/13 12:37:22 ossec-logcollector(1904): INFO: File not available, ignoring it: 'all'.
2024/05/13 12:37:22 ossec-logcollector(1904): INFO: File not available, ignoring it: 'su'.
2024/05/13 12:37:22 ossec-logcollector(1904): INFO: File not available, ignoring it: 'NetworkManager'.
Doesn't the implementation allows ossec to read directly from the output of the journalctl or do i have to create a new file and add it to the location label.
Also i have the logall option set to yes in order to see if the logs of the journald are being monitored and none of the logs i find there are from the journald.
Any help?
I am triying to read the output of journalctl so i have added this lines in the ossec.conf file:
(just copied the following commit):
4d01278
And what i get in ossec.log is:
2024/05/13 12:35:12 ossec-logcollector(1951): INFO: Analyzing journald log: 'all'.
2024/05/13 12:35:12 ossec-logcollector(1951): INFO: Analyzing journald log: 'su'.
2024/05/13 12:35:12 ossec-logcollector(1951): INFO: Analyzing journald log: 'NetworkManager'.
2024/05/13 12:37:22 ossec-logcollector(1904): INFO: File not available, ignoring it: 'all'.
2024/05/13 12:37:22 ossec-logcollector(1904): INFO: File not available, ignoring it: 'su'.
2024/05/13 12:37:22 ossec-logcollector(1904): INFO: File not available, ignoring it: 'NetworkManager'.
Doesn't the implementation allows ossec to read directly from the output of the journalctl or do i have to create a new file and add it to the location label.
Also i have the logall option set to yes in order to see if the logs of the journald are being monitored and none of the logs i find there are from the journald.
Any help?