Integrating Linux Journald With Blumira

Blumira’s modern cloud SIEM platform integrates with Linux Journald to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected.

 

When configured, the Blumira integration with Journald will stream security event logs to the Blumira service for automated threat detection and actionable response.

 

Get visibility, detect and respond to threats faster:

 

  • Quickly detect known and suspected threats with Blumira’s cloud-based platform
  • Reduce the noise of false-positive alerts with backend automation and fine-tuned alerting
  • Detect lateral movement across your environment with virtual honeypots
  • Get guided and actionable remediation playbooks for teams without security expertise
  • View easy-to-understand dashboards and security threat reports to help organizations meet compliance requirements

 

See how easy it is to set up Blumira with Linux Journald for log ingestion:

Set Up Instructions

Configure Log Forwarding for Linux Journald

Required Blumira Module: Logger

This article assumes you have already set up log ingestion for the actual Linux Operating System.  If you haven’t set that up yet, head over to the integration documentation and set it up quickly – https://www.blumira.com/integration/linux/ 

Journald Configuration for Log Forwarding

This is a simple change in the journald configuration generally speaking. Open /etc/systemd/journald.conf with sudo and your preferred editor, change the option ForwardToSyslog to yes, it should look like ForwardToSyslog=yes.

sudo vim /etc/systemd/journald.conf

No other options need to be changed in the journald configuration for log forwarding. The journald events will now flow into the rsyslogd syslog socket.

Save the file and restart the systemd-journald service on the machine.  Note: Reload can be used in place of restart if there is a particular need to avoid restarting the journald service entirely.

systemctl restart systemd-journald

At this point the configuration is complete. The logs can be also be found in /var/log/messages (or similar catchall log file on your OS) with the journal namespace. The Blumira configuration in /etc/rsyslog.d/ that is handling linux log forwarding will automatically forward the logs.