System and Auditd Log Collection
Automatic Collection
Section titled “Automatic Collection”To enable collection of system & auditd logs, activate journalctl_enable and auditd_enable with a Glouton configuration file:
sudo tee /etc/glouton/conf.d/99-logs.conf > /dev/null << 'EOF'log.opentelemetry.auto_discovery.journalctl_enable: truelog.opentelemetry.auto_discovery.auditd_enable: trueEOFOnce enabled, all system logs from journalctl and auditd are collected. Use the controls below to apply filters.
Auditd Logs
Section titled “Auditd Logs”Auditd logs are produced by the auditd daemon and contains security related information. The service might not be installed
by default on your Linux. To install auditd from your distribution:
For Ubuntu/Debian:
sudo apt-get install auditdFor Fedora, CentOS, Almalinux, RockyLinux or similar:
sudo yum install auditLog filters
Section titled “Log filters”Filters can also be applied globally with global filters.
For example, to only keep logs from a specific program:
log.opentelemetry.global_filters: include: match_type: strict record_attributes: - key: 'source_program' value: 'sshd-session'Syslog Fallback
Section titled “Syslog Fallback”On most Linux, system logs are produced by journald / journalctl. If your Linux doesn’t have journalctl, you can configure Glouton to collect system logs using /var/log/syslog.
Create a configuration file to enable syslog discovery rather than journalctl:
sudo tee /etc/glouton/conf.d/99-logs.conf > /dev/null << 'EOF'log.opentelemetry.auto_discovery.syslog_enable: truelog.opentelemetry.auto_discovery.journalctl_enable: falseEOF