Parse the output of the journalctl command. Journalctl is an interface to the systemd journal, which records information about system events.
name: Linux.Sys.JournalCtl
description: |
Parse the output of the journalctl command. Journalctl is an interface to the systemd journal, which records information about system events.
reference:
- https://man7.org/linux/man-pages/man1/journalctl.1.html
parameters:
- name: Length
default: 10000
type: int
- name: DateAfter
type: timestamp
- name: DateBefore
type: timestamp
author: Wes Lambert -- @therealwlambert/@weslambert@infosec.exchange
sources:
- query:
LET JournalFormat(ts) = format(format='%d-%02d-%02d %02d:%02d:%02d UTC',
args=[ts.Year, ts.Month, ts.Day, ts.Hour, ts.Minute, ts.Second])
LET DateAfterTime = JournalFormat(ts=if(condition=DateAfter,
then=DateAfter, else=timestamp(epoch='1600-01-01')))
LET DateBeforeTime = JournalFormat(ts=if(condition=DateBefore,
then=DateBefore, else=timestamp(epoch='2200-01-01')))
LET JCtlOut = SELECT * FROM execve(length=Length, argv=['/usr/bin/journalctl',
'-o', 'json', '-S', DateAfterTime, '-U', DateBeforeTime], sep="\n")
SELECT
timestamp(string=ParsedOutput.__REALTIME_TIMESTAMP) AS Timestamp,
ParsedOutput._HOSTNAME AS _Hostname,
ParsedOutput.MESSAGE AS Message,
ParsedOutput._MACHINE_ID AS _MachineID,
ParsedOutput._BOOT_ID AS BootID,
ParsedOutput.SYSLOG_IDENTIFIER AS _SyslogIdentifier,
ParsedOutput.PRIORITY AS _Priority,
ParsedOutput.SYSLOG_FACILITY AS _SyslogFacility,
ParsedOutput.__MONOTONIC_TIMESTAMP AS _MonotonicTS,
ParsedOutput._SOURCE_MONOTONIC_TIMESTAMP AS _SourceMonoTS,
ParsedOutput._TRANSPORT AS _Transport,
ParsedOutput.__CURSOR AS Cursor
FROM foreach(row={SELECT parse_json(data=Stdout) AS ParsedOutput FROM JCtlOut WHERE Stdout})