Hi, since this is on my questions list, I jump right in (instead of creating another thread)
if I understood it right, on systemd/journald distros you have to install rsyslog additonally in order for the ossec rules to still work?! otherwise the ossec rules wouldn't fire since they can't read the binary output by journald ? so it would mean journald + rsyslog for log collection logstash forwarder (to transport the logs if you have an ELK) environment and ossec-agent (to analyze the logs) ?! does this make sense, or am I completely far off?! On Tuesday, June 3, 2014 at 7:41:37 PM UTC+2, Jeremy Rossi wrote: > > * Aaron Hunter <[email protected] <javascript:>> [2014-06-03 09:00:06 > -0700]: > > >It's journald that concerns me the most. journald replaces (r)syslog > >entirely. It does not provide syslog format log files nor even text based > >log files. Instead, as I understand it, journald uses only a binary log > >format. This means that the text format based OSSEC rules will no longer > >work on a pure journald system. OSSEC would have to talk directly to > >journald (through D-BUS?) and its rules would have to be re-written for > the > >new binary format. That sounds like a significant undertaking which is > why > >I raised this question. journald is a wholesale replacement of the > current > >syslog based logging system with an entirely different paradigm. > > from: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/pdf/Migration_Planning_Guide/Red_Hat_Enterprise_Linux-7-Beta-Migration_Planning_Guide-en-US.pdf > > > On Red Hat Enterprise Linux 7, rsyslog and journald coexist. The data > collected by journald is forwarded to rsyslog, which can perform further > processing and store text-based log files. By default, rsyslog only > stores the journal fields that are typical for syslog messages, but can > be configured to store all the fields available to journald. Red Hat > Enterprise Linux 7 therefore remains compatible with applications and > system configurations that rely on rsyslog. > > > > >I think syslog can still be installed and connected to journald as a > >work-around but I'm not certain. > > It sure can ;) > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
