About journal_watcher Plugin

The journal_watcher plugin reads and parses sshd logs to generate sshd login and gssapi events.

Runtime requirements

Supports mainstream Linux distributions, including CentOS, RHEL, Debian, Ubuntu, RockyLinux, OpenSUSE, etc. Supports x86-64 and aarch64 architectures.

Quick start

Through the complete deployment of elkeidup, this plugin is enabled by default.

Compile from source

Dependency requirements


In the root directory, execute:

BUILD_VERSION= bash build.sh

During the compilation process, the script will read the BUILD_VERSION environment variable to set the version information, which can be modified according to actual needs.

After the compilation is successful, you should see two plg files in the output directory of the root directory, which correspond to different system architectures.

Version Upgrade

  1. If no client component has been created, please create a new component in the Elkeid Console-Component Management page.
  2. On the Elkeid Console - Component Management page, find the "collector" entry, click "Release Version" on the right, fill in the version information and upload the files corresponding to the platform and architecture, and click OK.
  3. On the Elkeid Console - Component Policy page, delete the old "collector" version policy (if any), click "New Policy", select the version just released, and click OK. Subsequent newly installed Agents will be self-upgraded to the latest version.
  4. On the Elkeid Console - Task Management page, click "New Task", select all hosts, click Next, select the "Sync Configuration" task type, and click OK. Then, find the task you just created on this page, and click Run to upgrade the old version of the Agent.


journal_watcher is distributed under the Apache-2.0 license.