artif: new systemd journal artifacts

Add new artifact to collect the "*.journal~". These journal files are created when system crashes or fails to shut down properly. Also, add artifacts related to "journalctl" command. These artifacts verify the integrity of journal files and show a listing of time periods between boots.
tclahr · Sep 3, 2024 · c2bc411 · c2bc411
1 parent f5971ed
commit c2bc411
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/artifacts/files/logs/journal.yaml b/artifacts/files/logs/journal.yaml
@@ -1,8 +1,8 @@
-version: 1.0
+version: 1.1
 artifacts:
   -
     description: Collect journal log files.
     supported_os: [linux]
     collector: file
     path: /
-    name_pattern: ["*.journal"]
+    name_pattern: ["*.journal", "*.journal~"]
diff --git a/artifacts/live_response/system/journalctl.yaml b/artifacts/live_response/system/journalctl.yaml
@@ -0,0 +1,16 @@
+version: 1.0
+condition: command_exists "journalctl"
+output_directory: /live_response/system
+artifacts:
+  -
+    description: Verify the integrity of journal log files.
+    supported_os: [linux]
+    collector: command
+    command: journalctl --verify
+    output_file: journalctl_--verify.txt
+  -
+    description: Show a listing of time periods between boots.
+    supported_os: [linux]
+    collector: command
+    command: journalctl --list-boots
+    output_file: journalctl_--list-boots.txt