When configured, the Blumira integration with Journald will stream security event logs to the Blumira service for automated threat detection and actionable response.
Get visibility, detect and respond to threats faster:
See how easy it is to set up Blumira with Linux Journald for log ingestion:
Required Blumira Module: Logger
This article assumes you have already set up log ingestion for the actual Linux Operating System. If you haven’t set that up yet, head over to the integration documentation and set it up quickly – https://www.blumira.com/integration/linux/
This is a simple change in the journald configuration generally speaking. Open
/etc/systemd/journald.conf with sudo and your preferred editor, change the option ForwardToSyslog to yes, it should look like ForwardToSyslog=yes.
sudo vim /etc/systemd/journald.conf
No other options need to be changed in the journald configuration for log forwarding. The journald events will now flow into the rsyslogd syslog socket.
Save the file and restart the systemd-journald service on the machine. Note: Reload can be used in place of restart if there is a particular need to avoid restarting the journald service entirely.
systemctl restart systemd-journald
At this point the configuration is complete. The logs can be also be found in
/var/log/messages (or similar catchall log file on your OS) with the journal namespace. The Blumira configuration in
/etc/rsyslog.d/ that is handling linux log forwarding will automatically forward the logs.