System Log Collection

Starter

Professional

Most modern Linux distributions use systemd-journald for system logging. Glouton can collect logs from systemd-journald as well as from Auditd. If your distribution still uses syslog instead of systemd-journald, see the Syslog section below.

systemd-journald

To enable collection of system logs from systemd-journald, set journald_enable to true:

sudo tee /etc/glouton/conf.d/99-logs-journald.conf > /dev/null << 'EOF'
log.opentelemetry.auto_discovery.journald_enable: true
EOF

This option is also enabled when using all_enable.

Once enabled, all system logs from the journal are collected and sent to the Bleemeo Cloud Platform.

Syslog

If your Linux distribution does not have systemd-journald, you can configure Glouton to collect system logs from the /var/log/syslog file instead. Set syslog_enable to true:

sudo tee /etc/glouton/conf.d/99-logs-syslog.conf > /dev/null << 'EOF'
log.opentelemetry.auto_discovery.syslog_enable: true
EOF

This option is also enabled when using all_enable.

Auditd

Auditd logs are produced by the auditd daemon and contain security related information such as authentication events, file access, and privilege escalation. The service might not be installed by default on your Linux.

To enable collection of Auditd logs, set auditd_enable to true:

sudo tee /etc/glouton/conf.d/99-logs-auditd.conf > /dev/null << 'EOF'
log.opentelemetry.auto_discovery.auditd_enable: true
EOF

This option is also enabled when using all_enable.

Installing Auditd

For Ubuntu/Debian:

sudo apt-get install auditd

For Fedora, CentOS, Almalinux, RockyLinux or similar:

sudo yum install audit

Log Filters

Filters allow you to control which log entries are kept or dropped based on their content. They can be applied globally to all log sources with global filters.

For example, to only keep logs from a specific program:

log.opentelemetry.global_filters:
  include:
    match_type: strict
    record_attributes:
      - key: 'source_program'
        value: 'sshd-session'