From f74ad6af4a4471cec47300c079e118b81111e500 Mon Sep 17 00:00:00 2001 From: Andreas Misje Date: Fri, 4 Oct 2024 15:49:15 +0200 Subject: [PATCH] Add a Journal notebook suggestion: Simple syslog-like view (#3803) Add a notebook suggestion that creates a simple table that looks very much like the default output from journalctl. I find myself studying the identifier/unit and message exclusively most of the time. Having this simplification as a VQL suggestion would be very handy for day-to-day use. --- .../definitions/Linux/Forensics/Journal.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/artifacts/definitions/Linux/Forensics/Journal.yaml b/artifacts/definitions/Linux/Forensics/Journal.yaml index ca1e5edc3d..32dcb7a867 100644 --- a/artifacts/definitions/Linux/Forensics/Journal.yaml +++ b/artifacts/definitions/Linux/Forensics/Journal.yaml @@ -38,3 +38,19 @@ sources: FROM parse_journald(filename=OSPath, start_time=DateAfter, end_time=DateBefore) }) + + notebook: + - type: vql_suggestion + name: Simplified syslog-like view + template: | + /* + # Simplified log view + */ + LET ColumnTypes<=dict(`_ClientId`='client') + + SELECT System.Timestamp AS Timestamp, + ClientId AS _ClientId, + client_info(client_id=ClientId).os_info.hostname AS Hostname, + EventData.SYSLOG_IDENTIFIER AS Unit, + EventData.MESSAGE AS Message + FROM source()