Red Hat Enterprise Linux 10 Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Red Hat Enterprise Linux (RHEL) is an enterprise-grade Linux distribution widely used on servers and cloud infrastructure.

This technology pack provides common log parsing, normalization, and enrichment for Red Hat Enterprise Linux 10 system logs collected via Filebeat.

Supported Distributions

  • Red Hat Enterprise Linux 10

Requirements

  • Graylog 7.1.0+ with a valid Enterprise license

  • Filebeat configured to tag RHEL system logs with field filebeat_event_source_product: linux_rhel

Stream Configuration

This technology pack includes 1 stream:

  • Illuminate:Linux System Messages

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • Linux System Logs

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

What is Provided

  • Rules to parse, normalize, and enrich Red Hat Enterprise Linux 10 system log messages

Events Processed by This Technology Pack

The Red Hat Enterprise Linux 10 content pack supports the following log types. Generic processing is provided for log types not listed.

  • Systemd Logs (unit lifecycle, slices, targets, scopes, reload, sysusers, hostname, boot timing, detected platform, signals, devices)

  • Systemd-Logind User Sessions (new / logout / removed / seat, session scopes)

  • Kernel and System Messages (USB connect/disconnect with manufacturer/product/serial, PCI/SCSI/ATA/DRM driver events, ACPI, device-mapper, audit)

  • NetworkManager Logs (severity, subsystem, activation, carrier, DHCPv4 lease, link, audit, state change)

  • Authorization and Access Control (PolicyKit auth requests and grants, SELinux access denials via setroubleshoot)

  • Package Management (dnf transactions, packagekit, rhsm-service)

  • Defensive and Threat-Hunting Signals (firewalld configuration, chronyd clock-step / time-sync, ABRT crash dumps, rsyslog imjournal rate-limit drops)

  • Service and Container Activity (systemd-machined, cups requests, dbus-daemon activation, udisks user-initiated mounts)

  • Remote Access (gnome-remote-desktop RDP server lifecycle)

  • Shell Command Execution Errors

  • User Application Launches (systemd transient app-scope units)

GIM Categorization

GIM categorization is provided for the following messages:

Message Fields Included in This Pack

General Parsing

Systemd

Kernel and System

Shell Command Errors

NetworkManager