I have StrongSwan installed on a debian 13 machine. The logs are written to the journal. I use elastic-agent in version 9.3.3 trying to read this logs, the stack is in version 9.3.3, too. journalctl -u strongswan shows:
Jun 29 15:49:09 debian-ts.local charon-systemd[11574]: loaded plugins: charon-systemd aesni random nonce x509 revocation constraints pubkey pkcs1 pkcs7 dnskey sshkey pem openssl pkcs8 agent gcm drbg attr kernel-netlink resolve socket-default connmark vici updown eap-mschapv2 xauth-generic counters Jun 29 15:49:09 debian-ts.local charon-systemd[11574]: dropped capabilities, running as uid 0, gid 0 Jun 29 15:49:09 debian-ts.local charon-systemd[11574]: spawning 16 worker threads Jun 29 15:49:09 debian-ts.local swanctl[11609]: plugin 'test-vectors': failed to load - test_vectors_plugin_create not found and no plugin file available Jun 29 15:49:09 debian-ts.local swanctl[11609]: plugin 'ldap': failed to load - ldap_plugin_create not found and no plugin file available
In Kibana I only see swanctl logs, but no charon-systemd logs.
Why are the charon-systemd logs missing? How can I debug this? What can I do to see all logs from the journal?
Where does your elastic-agent read the log files from? Is it possible that it's not reading the journal itself, but reading the swanctl logs from a file, but not the charon logs?
Trying to think of reasons why it might be omitted Not that it seems likely, but does the charon systemd unit declare a different log namespace? Or do any of the log entry fields look unusual (via `--output=verbose`)?
another hypothesis: The strongswan docs suggest that charon-systemd logs to the journal directly using the journal API and not via the kernel's logging API. That might result in the log entry being recorded with a different `_TRANSPORT` which the system's "syslog" data stream filters out.
I can think of two ways to work around that in the short term. Either configure strongswan to log to syslog ( Logging :: strongSwan Documentation ) or add a separate journald integration to the agent which doesn't have that facility filter (and maybe instead filter to target everything that doesn't have any facility).
I didn't achieve to give the charon-systemd logs a SYSLOG_FACILITY, neither via the systemd unit, nor via strongswan config. Is it possible to configure the elastic-agent to grab logs, that don't have a SYSLOG_FACILITY?
Sorry to hear that. Yes, you should be able to use the journald integration to do so. You might want to add a filtering processor after it to avoid ingesting the entries with a facility twice, though.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.