Wazuh Agent: Collecting Kernel Logs from journald on Fedora

This document explains how to configure the Wazuh agent on a Fedora system to collect kernel logs from journald using journalctl, and how to verify and view them on the Wazuh Dashboard.

---

1. Configure the Wazuh Agent

Edit /var/ossec/etc/ossec.conf and add:

<localfile>
  <command>journalctl -k --no-pager -o short-iso -f -n 0</command>
  <log_format>syslog</log_format>
  <alias>journald-kernel</alias>
</localfile>

This instructs the Wazuh agent to tail only kernel logs from journald.

---

2. Restart the Wazuh Agent

sudo systemctl restart wazuh-agent

---

3. Verify Logs on the Fedora Host

cat /var/ossec/logs/ossec.log | grep journalctl

You should see entries confirming that ossec-logcollector started reading from journalctl.

---

4. Generate Kernel Logs for Testing

sudo dmesg --kernel --level=warn,err,crit

This triggers kernel warnings and errors that should be forwarded by the agent.

---

5. View Kernel Logs in Wazuh Dashboard

In the Wazuh Dashboard:

1. Go to Security events → Security Events (Discover).

2. Use filters such as:

   agent.name:"fedora" AND data.syslog.facility:kernel

   or

   agent.name:"fedora" AND rule.groups:"syslog"

3. Check the Alerts view for triggered rules (e.g., 5302, 5303).

---

6. Create a Custom Dashboard Panel (Optional)

To build a dedicated view:

1. Dashboard → Create visualization
2. Select Data Table or Log Stream
3. Apply filter: data.syslog.facility:kernel
4. Save as "Kernel Logs (Fedora)"
5. Add it to your custom dashboard

---

Conclusion

With this setup, kernel logs from Fedora’s journald are continuously collected by the Wazuh agent, sent to the Wazuh Manager, and made available in the Wazuh Dashboard for monitoring and alerting.