From 6b0c6664c9909766185635b02345013efbb15dd7 Mon Sep 17 00:00:00 2001
From: Andreas Misje <amisje@gmail.com>
Date: Fri, 4 Oct 2024 15:22:05 +0200
Subject: [PATCH] Journal notebook suggestion: Simple syslog-like view

Add a notebook suggestion that creates a simple table that looks very
much like the default output from journalctl.
---
 .../definitions/Linux/Forensics/Journal.yaml     | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/artifacts/definitions/Linux/Forensics/Journal.yaml b/artifacts/definitions/Linux/Forensics/Journal.yaml
index ca1e5edc3d..32dcb7a867 100644
--- a/artifacts/definitions/Linux/Forensics/Journal.yaml
+++ b/artifacts/definitions/Linux/Forensics/Journal.yaml
@@ -38,3 +38,19 @@ sources:
       FROM parse_journald(filename=OSPath,
           start_time=DateAfter, end_time=DateBefore)
     })
+
+  notebook:
+    - type: vql_suggestion
+      name: Simplified syslog-like view
+      template: |
+        /*
+        # Simplified log view
+        */
+        LET ColumnTypes<=dict(`_ClientId`='client')
+
+        SELECT System.Timestamp AS Timestamp,
+               ClientId AS _ClientId,
+               client_info(client_id=ClientId).os_info.hostname AS Hostname,
+               EventData.SYSLOG_IDENTIFIER AS Unit,
+               EventData.MESSAGE AS Message
+        FROM source()