Skip to main content
Version: Next

Journald

This module allows the Security Engine to acquire logs from journalctl files in one-shot and streaming mode.

Configuration example

To monitor SSH logs from journald:

source: journalctl
journalctl_filter:
- "_SYSTEMD_UNIT=ssh.service"
labels:
type: syslog

Rather to specify each systemd service, you could also decide to acquire more informations from journald by referrencing a filter from _TRANSPORT

---
source: journalctl
journalctl_filter:
- "_TRANSPORT=journal"
labels:
type: syslog
---
source: journalctl
journalctl_filter:
- "_TRANSPORT=syslog"
labels:
type: syslog
---
source: journalctl
journalctl_filter:
- "_TRANSPORT=stdout"
labels:
type: syslog
---
source: journalctl
journalctl_filter:
- "_TRANSPORT=kernel"
labels:
type: syslog
---

Parameters

journalctl_filter

A list of journalctl filters. This is mandatory.

this list is transformed into arguments passed to the journalctl binary, so any arguments supported by journalctl can be defined here

source

Must be journalctl

DSN and command-line

This module supports acquisition directly from the command line, to read journalctl logs in one shot.

A 'pseudo DSN' must be provided:

crowdsec -type syslog -dsn journalctl://filters=_SYSTEMD_UNIT=ssh.service&filters=_UID=42

You can specify the log_level parameter to change the log level for the acquisition :

crowdsec -type syslog -dsn journalctl://filters=MY_FILTER&filters=MY_OTHER_FILTER&log_level=debug