diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md index ba5511a5f..cc756826a 100644 --- a/docs/malcolm-hedgehog-e2e-iso-install.md +++ b/docs/malcolm-hedgehog-e2e-iso-install.md @@ -572,9 +572,9 @@ Despite configuring capture and/or forwarder services as described in previous s * **AUTOSTART_FILEBEAT** - [filebeat](#Hedgehogfilebeat) Zeek and Suricata log forwarder * **AUTOSTART_FLUENTBIT_AIDE** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/exec) [AIDE](https://aide.github.io/) file system integrity checks * **AUTOSTART_FLUENTBIT_AUDITLOG** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/tail) [auditd](https://man7.org/linux/man-pages/man8/auditd.8.html) logs -* *AUTOSTART_FLUENTBIT_KMSG* - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/kernel-logs) the Linux kernel log buffer (these are generally reflected in syslog as well, which may make this agent redundant) +* *AUTOSTART_FLUENTBIT_KMSG* - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/kernel-logs) the Linux kernel log buffer (these are generally reflected in the Systemd log as well, which may make this agent redundant) * **AUTOSTART_FLUENTBIT_METRICS** - [Fluent Bit](https://fluentbit.io/) agent for collecting [various](https://docs.fluentbit.io/manual/pipeline/inputs) system resource and performance metrics -* **AUTOSTART_FLUENTBIT_SYSLOG** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/syslog) Linux syslog messages +* **AUTOSTART_FLUENTBIT_SYSTEMD** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/systemd) log messages from the Linux Journald daemon * **AUTOSTART_FLUENTBIT_THERMAL** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/thermal) system temperatures (only applicable on actual hardware, not if Hedgehog is running on a virtual machine) * **AUTOSTART_MISCBEAT** - [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) forwarder which sends system metrics collected by [Fluent Bit](https://fluentbit.io/) to a remote Logstash instance (e.g., [Malcolm]({{ site.github.repository_url }})'s) * *AUTOSTART_NETSNIFF* - [netsniff-ng](http://netsniff-ng.org/) PCAP engine for saving packet capture (PCAP) files @@ -617,7 +617,7 @@ fluentbit-metrics:disk RUNNING pid 6468, uptime 0:03:17 fluentbit-metrics:mem RUNNING pid 6472, uptime 0:03:17 fluentbit-metrics:mem_p RUNNING pid 6473, uptime 0:03:17 fluentbit-metrics:netif RUNNING pid 6474, uptime 0:03:17 -fluentbit-syslog RUNNING pid 6478, uptime 0:03:17 +fluentbit-systemd RUNNING pid 6478, uptime 0:03:17 fluentbit-thermal RUNNING pid 6480, uptime 0:03:17 netsniff:netsniff-enp1s0 STOPPED Not started prune:prune-pcap RUNNING pid 6484, uptime 0:03:17 diff --git a/logstash/pipelines/beats/11_beats_logs.conf b/logstash/pipelines/beats/11_beats_logs.conf index 17c7a3998..944d07445 100644 --- a/logstash/pipelines/beats/11_beats_logs.conf +++ b/logstash/pipelines/beats/11_beats_logs.conf @@ -545,6 +545,11 @@ filter { } # if ([miscbeat][syslog]) + # if ([miscbeat][systemd]) { + # #------------------------------------------------- + # # systemd - https://docs.fluentbit.io/manual/pipeline/inputs/systemd + # } # if ([miscbeat][systemd]) + if ([miscbeat][thermal]) { #------------------------------------------------- # thermal - https://docs.fluentbit.io/manual/pipeline/inputs/thermal diff --git a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot index 9d160f065..7e4f86f29 100755 --- a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -121,14 +121,6 @@ echo "umask 077" >> /etc/profile echo "export UMASK=077" >> /etc/profile echo "export PYTHONDONTWRITEBYTECODE=1" >> /etc/profile -# enable cron logging -sed -r -i "s@^#(cron\.\*\s+.*/var/log/cron\.log)@\1@" /etc/rsyslog.conf - -# enable rsyslog forwarding to localhost:9514 over UDP (for filebeat syslog input) -echo >> /etc/rsyslog.conf -echo '*.* @127.0.0.1:9514' >> /etc/rsyslog.conf -echo >> /etc/rsyslog.conf - # put sudoers log into its own logfile awk 'FNR==NR{ if (/^Defaults/) p=NR; next} 1; FNR==p{ print "Defaults\t!syslog\nDefaults\tlogfile=/var/log/sudo.log" }' /etc/sudoers /etc/sudoers > /tmp/newsudoers mv /tmp/newsudoers /etc/sudoers && chmod 440 /etc/sudoers diff --git a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot index 95349d90f..93afb4f60 100755 --- a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -96,14 +96,6 @@ echo "umask 077" >> /etc/profile echo "export UMASK=077" >> /etc/profile echo "export PYTHONDONTWRITEBYTECODE=1" >> /etc/profile -# enable cron logging -sed -r -i "s@^#(cron\.\*\s+.*/var/log/cron\.log)@\1@" /etc/rsyslog.conf - -# enable rsyslog forwarding to localhost:9514 over UDP (for filebeat syslog input) -echo >> /etc/rsyslog.conf -echo '*.* @127.0.0.1:9514' >> /etc/rsyslog.conf -echo >> /etc/rsyslog.conf - # put sudoers log into its own logfile awk 'FNR==NR{ if (/^Defaults/) p=NR; next} 1; FNR==p{ print "Defaults\t!syslog\nDefaults\tlogfile=/var/log/sudo.log" }' /etc/sudoers /etc/sudoers > /tmp/newsudoers mv /tmp/newsudoers /etc/sudoers && chmod 440 /etc/sudoers diff --git a/sensor-iso/interface/sensor_ctl/control_vars.conf b/sensor-iso/interface/sensor_ctl/control_vars.conf index 98301dae5..67a48f3dc 100644 --- a/sensor-iso/interface/sensor_ctl/control_vars.conf +++ b/sensor-iso/interface/sensor_ctl/control_vars.conf @@ -140,7 +140,7 @@ export AUTOSTART_FLUENTBIT_AIDE=false export AUTOSTART_FLUENTBIT_AUDITLOG=false export AUTOSTART_FLUENTBIT_KMSG=false export AUTOSTART_FLUENTBIT_METRICS=false -export AUTOSTART_FLUENTBIT_SYSLOG=false +export AUTOSTART_FLUENTBIT_SYSTEMD=false export AUTOSTART_FLUENTBIT_THERMAL=false export AUTOSTART_MISCBEAT=false export AUTOSTART_NETSNIFF=false diff --git a/sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-syslog.conf b/sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-syslog.conf deleted file mode 100644 index 0aaef35eb..000000000 --- a/sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-syslog.conf +++ /dev/null @@ -1,21 +0,0 @@ -[program:fluentbit-syslog] -command=/opt/fluent-bit/bin/fluent-bit - -R /etc/fluent-bit/parsers.conf - -i syslog - -p Mode=udp - -p Listen=127.0.0.1 - -p Port=9514 - -p Parser=syslog-rfc3164 - -p Buffer_Chunk_Size=32000 - -p Buffer_Max_Size=64000 - -o tcp://localhost:%(ENV_MISCBEAT_PORT)s - -p format=json_lines - -F nest -p Operation=nest -p Nested_under=syslog -p WildCard='*' -m '*' - -F record_modifier -p "Record=module syslog" -m '*' - -f 1 -startsecs=20 -startretries=3 -stopasgroup=true -killasgroup=true -autostart=%(ENV_AUTOSTART_FLUENTBIT_SYSLOG)s -autorestart=%(ENV_AUTOSTART_FLUENTBIT_SYSLOG)s diff --git a/sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-systemd.conf b/sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-systemd.conf new file mode 100644 index 000000000..d62057e30 --- /dev/null +++ b/sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-systemd.conf @@ -0,0 +1,18 @@ +[program:fluentbit-systemd] +command=/opt/fluent-bit/bin/fluent-bit + -R /etc/fluent-bit/parsers.conf + -i systemd + -p Read_From_Tail=On + -p Lowercase=On + -p Strip_Underscores=On + -o tcp://localhost:%(ENV_MISCBEAT_PORT)s + -p format=json_lines + -F nest -p Operation=nest -p Nested_under=systemd -p WildCard='*' -m '*' + -F record_modifier -p "Record=module systemd" -m '*' + -f 1 +startsecs=20 +startretries=3 +stopasgroup=true +killasgroup=true +autostart=%(ENV_AUTOSTART_FLUENTBIT_SYSTEMD)s +autorestart=%(ENV_AUTOSTART_FLUENTBIT_SYSTEMD)s