Red Hat Enterprise Linux (RHEL) is an enterprise-grade Linux distribution widely used on servers and cloud infrastructure.
This technology pack provides common log parsing, normalization, and enrichment for Red Hat Enterprise Linux 10 system logs collected via Filebeat.
Supported Distributions
-
Red Hat Enterprise Linux 10
Requirements
-
Graylog 7.1.0+ with a valid Enterprise license
-
Filebeat configured to tag RHEL system logs with field filebeat_event_source_product: linux_rhel
Stream Configuration
This technology pack includes 1 stream:
- Illuminate:Linux System Messages
Index Set Configuration
This technology pack includes 1 index set definition:
- Linux System Logs
What is Provided
-
Rules to parse, normalize, and enrich Red Hat Enterprise Linux 10 system log messages
Events Processed by This Technology Pack
The Red Hat Enterprise Linux 10 content pack supports the following log types. Generic processing is provided for log types not listed.
-
Systemd Logs (unit lifecycle, slices, targets, scopes, reload, sysusers, hostname, boot timing, detected platform, signals, devices)
-
Systemd-Logind User Sessions (new / logout / removed / seat, session scopes)
-
Kernel and System Messages (USB connect/disconnect with manufacturer/product/serial, PCI/SCSI/ATA/DRM driver events, ACPI, device-mapper, audit)
-
NetworkManager Logs (severity, subsystem, activation, carrier, DHCPv4 lease, link, audit, state change)
-
Authorization and Access Control (PolicyKit auth requests and grants, SELinux access denials via setroubleshoot)
-
Package Management (dnf transactions, packagekit, rhsm-service)
-
Defensive and Threat-Hunting Signals (firewalld configuration, chronyd clock-step / time-sync, ABRT crash dumps, rsyslog imjournal rate-limit drops)
-
Service and Container Activity (systemd-machined, cups requests, dbus-daemon activation, udisks user-initiated mounts)
-
Remote Access (gnome-remote-desktop RDP server lifecycle)
-
Shell Command Execution Errors
-
User Application Launches (systemd transient app-scope units)
GIM Categorization
GIM categorization is provided for the following messages:
Fields List ▼
| Log Type | Vendor Event Description | GIM Category | GIM Subcategory | GIM Event Type Code |
|---|---|---|---|---|
| Systemd | Service start/restart | service | service.start | 210000 |
| Systemd | Service stop/completion | service | service.stop | 210100 |
| Systemd | Service failure | service | service.state | 211504 |
| Systemd | Service reload | service | service.configuration | 211000 |
| Systemd | User application launch (transient scope unit) | process | process.execute | 190000 |
Message Fields Included in This Pack
General Parsing
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| event_source_product | linux_rhel | string | The product identifier for the log source. |
| event_created | 2026-05-27T13:56:33.000Z | date | The normalized timestamp the event was created. |
| event_reporter_hostname | rhel10 | string | Hostname of the system that reported the log. |
| event_log_path | /var/log/messages | string | Source log file path reported by Filebeat. |
| application_name | systemd | string | The application or subsystem that emitted the message. |
| process_id | 1 | string | Process ID extracted from the syslog header. |
Systemd
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| vendor_event_action | Started | string | The systemd unit lifecycle action. |
| vendor_data_systemd_unit_description | systemd-journald.service - Journal Service | string | The systemd unit name and description. |
| service_name | systemd-journald | string | The systemd unit name (without the .service suffix where applicable). Populated from <unit>.service: <status> lines (22-linux_rhel_systemd_service); transient scope/mount lines (22-linux_rhel_systemd_scope_consumed; 22-linux_rhel_systemd_scope_mount_status); daemon-reload requests (22-linux_rhel_systemd_reload_requested); device-unit messages (22-linux_rhel_systemd_device_event). |
| host_hostname | localhost.localdomain | string | New hostname set by systemd-hostnamed (22-linux_rhel_systemd_hostname_set). |
| file_path | /dev/mapper/rhel-root | string | Block-device or mount-target path. Populated from systemd device-unit messages (22-linux_rhel_systemd_device_event) carrying the underlying /dev path the device unit represents. |
| file_name | rhel-root | string | Basename of file_path; derived inside the same grok via a nested named capture. |
| vendor_data_systemd_service_status | Deactivated successfully | string | The reported systemd service status. |
| service_state | active | string | The systemd unit state from a state-change message. |
| vendor_data_systemd_result | exit-code | string | The systemd failure result. |
| vendor_data_systemd_code | exited | string | The systemd process exit code class. |
| vendor_data_systemd_status_code | 203 | string | The systemd process exit status code (raw vendor passthrough). |
| event_error_code | 203 | string | SDM-normalized process exit code; populated alongside vendor_data_systemd_status_code by 22-linux_rhel_systemd_failed_status. |
| vendor_data_systemd_status_description | EXEC | string | The systemd process exit status description following the status code. |
| vendor_data_systemd_restart_counter | 163056 | long | The systemd scheduled-restart counter (cumulative restart attempts; useful for flapping-service detection). |
| vendor_data_systemd_skip_reason | no trigger condition checks were met | string | The reason a systemd unit was skipped due to an unmet condition check. |
| vendor_event_outcome | Failed | string | The outcome of a systemd start attempt. |
| gim_event_type_code | 210000 | string | The assigned GIM event type code. |
| vendor_data_systemd_scope_originator | gnome | string | The originator (launcher) of a user-application transient scope unit (gnome / flatpak / glib / etc.). |
| vendor_data_systemd_scope_description | Application launched by gnome-shell | string | The human-readable description portion of a user-application scope log line. |
| process_name | org.gnome.Settings | string | The launched application identifier extracted from a systemd user-application scope unit (SDM-promoted from the scope name). |
| process_parent_name | systemd | string | The parent process name for a user-application launch event (preserved from the original systemd syslog source). |
| process_parent_id | 1 | string | The parent process PID for a user-application launch event (preserved from the original process_id set by the syslog header bracket extraction). |
Kernel and System
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| vendor_data_kernel_subsystem | ACPI | string | The kernel subsystem that emitted the message. |
| vendor_event_description | Using IOAPIC for interrupt routing | string | The kernel message text following the subsystem prefix. |
| vendor_data_pci_address | 0000:00:01.0 | string | The PCI device address from a PCI subsystem message. |
| vendor_data_dm_component | ioctl | string | The device-mapper component from a device-mapper message. |
| vendor_data_audit_type | 2000 | string | The kernel audit record type. |
| vendor_data_audit_serial | 1 | string | The kernel audit record serial number. |
| vendor_data_audit_timestamp | 1779890193.149 | string | The kernel audit record epoch timestamp. |
| vendor_data_audit_message | state=initialized audit_enabled=0 res=1 | string | The kernel audit record payload. |
Shell Command Errors
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| process_path | /bin/bash | string | Full path of the shell binary that emitted the error. |
| process_name | bash | string | Basename of the shell binary (process_path). |
| process_target_path | /sherpa/dummy/bin/startup.sh | string | Full path of the command or file the shell attempted to execute. |
| process_target_name | startup.sh | string | Basename of the target (process_target_path). |
| event_error_description | No such file or directory | string | The shell's reason for the failure (e.g. No such file or directory; Permission denied; command not found). |
| event_outcome | failure | string | Normalized event outcome (failure) for shell command execution errors. |
| vendor_event_description | Shell command execution error | string | The normalized event description for shell command errors. |
NetworkManager
Fields List ▼
| Field Name | Example Value | Field Type | Description |
|---|---|---|---|
| vendor_event_severity | info | string | The raw NetworkManager severity tag (trace/debug/info/warn/err) captured from the <severity> log prefix. |
| vendor_data_nm_epoch | 1779976236.5413 | string | The NetworkManager monotonic epoch timestamp with millisecond precision. |
| vendor_data_nm_subsystem | device | string | The NetworkManager internal subsystem that emitted the message (e.g. device; platform; manager; agent-manager; policy; audit; dhcp4). When the subsystem label originally included an interface in parens (device (ens18)) the parens are stripped and the interface is captured into vendor_data_nm_interface. |
| vendor_data_nm_interface | ens18 | string | The network interface name extracted from NetworkManager messages. Captured as a vendor field because the SDM network entity has no non-direction-bound interface field (network_interface_in / network_interface_out are traffic-flow-scoped). |
| vendor_data_nm_state_previous | activated | string | The previous interface state from a NetworkManager 'state change: <from> -> <to>' message. |
| vendor_data_nm_state_current | deactivating | string | The new interface state from a NetworkManager 'state change: <from> -> <to>' message. |
| vendor_data_nm_state_reason | user-requested | string | The optional reason from a NetworkManager 'state change' message (parsed from the trailing (reason '<r>'...) clause when present). |
| vendor_data_nm_state | CONNECTED_GLOBAL | string | The global NetworkManager connectivity state extracted from manager-subsystem 'NetworkManager state is now <STATE>' messages. |
| vendor_event_action | device-disconnect | string | The raw action verb from a NetworkManager audit message (connection-activate; device-disconnect; etc.) - SDM-aligned vendor name for the action. |
| vendor_data_nm_ifindex | 2 | string | The kernel interface index from a NetworkManager audit message. |
| vendor_event_outcome | success | string | The raw result field from a NetworkManager audit message (success / fail / failed) - SDM-aligned vendor name for the outcome. |
| event_outcome | success | string | Normalized SDM outcome derived from vendor_event_outcome (success -> success; fail / failed -> failure). Set only for known values; unknown vendor results leave event_outcome unset to avoid mis-categorization. |
| vendor_event_description | agent registered | string | The NetworkManager message body following the subsystem prefix. May be shortened by the link / state-change follow-up rules. |
| event_severity | informational | string | Normalized SDM severity derived from vendor_event_severity (trace/debug/info -> informational; warn -> medium; err -> high). |
| event_severity_level | 1 | long | Numeric SDM severity (1=informational; 2=low; 3=medium; 4=high; 5=critical). Set as a paired field with event_severity since core derives the level only for GIM-categorized events. |
| process_id | 2539 | string | SDM process_id promoted from NetworkManager audit pid=N (renamed from vendor_data_nm_pid). |
| user_id | 1000 | string | SDM user_id promoted from NetworkManager audit uid=N (renamed from vendor_data_nm_uid). |
