Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has "systemctl" and (ProcessCommandLine has "stop" or ProcessCommandLine has "disable") and (ProcessCommandLine has "journal" or ProcessCommandLine has "systemd-journald") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName

DeviceProcessEvents | where ProcessCommandLine contains 'systemctl stop systemd-journald' | project TimeGenerated, DeviceName, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine

DeviceProcessEvents | where FileName has 'systemctl' or FileName has 'service' | where ProcessCommandLine contains 'stop' and (ProcessCommandLine contains 'journald' or ProcessCommandLine contains 'systemd-journald') | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName

DeviceProcessEvents | where ProcessCommandLine has_any ("systemctl", "service", "systemd-journald", "journalctl") and ProcessCommandLine contains "stop" | where ProcessCommandLine has "systemd-journald" or ProcessCommandLine has "journal" | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains "systemctl stop systemd-journald" or ProcessCommandLine contains "systemctl disable systemd-journald" or ProcessCommandLine contains "systemctl stop journald" or ProcessCommandLine contains "systemctl disable journald" or FileName has "systemctl" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine | summarize by InitiatingProcessFileName, InitiatingProcessCommandLine | order by InitiatingProcessFileName asc

let linuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId, DeviceName; let candidate = DeviceProcessEvents | where ActionType == "ProcessCreated" | join kind=inner (linuxDevices) on DeviceId | extend cmd = tostring(ProcessCommandLine) | extend lc = tolower(cmd) // Focus on commands referencing journald or its config | where lc has_any ("systemd-journald", "journald", "journald.conf") // Classify the action taken | extend ActionDetected = case( lc matches regex @"\b(systemctl|service)\s+stop\b.*\bjournald\b", "stop", lc matches regex @"\b(systemctl|service)\s+(disable|mask)\b.*\bjournald\b", "disable_or_mask", lc matches regex @"\b(pkill|killall)\b.*\bjournald\b|\bkill\b.*\b(systemd-journald|`pidof systemd-journald`)\b", "kill", lc matches regex @"\b(sed|echo|tee|crudini)\b.*\b/etc/systemd/journald\.conf\b.*\bstorage\s*=\s*none\b", "conf_change_storage_none", "other") | where ActionDetected in ("stop", "disable_or_mask", "kill", "conf_change_storage_none") // Extract the utility used, even if wrapped by sudo/sh | extend InvokedUtility = coalesce( extract(@"(?i)\b(systemctl|service|chkconfig|update-rc\.d|rc-update|sv|pkill|killall|kill|sed|echo|tee|crudini)\b", 1, cmd), FileName) | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, InvokedUtility, ActionDetected, FileName, ProcessCommandLine; // Summarize where the service was stopped and which utility disabled logging candidate | summarize StopEvents = countif(ActionDetected == "stop"), DisabledEvents = countif(ActionDetected in ("disable_or_mask", "conf_change_storage_none")), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), SampleCommands = make_set(ProcessCommandLine, 3) by DeviceName, InvokedUtility | where StopEvents > 0 or DisabledEvents > 0 | order by LastSeen desc

DeviceProcessEvents | where ProcessCommandLine has_any ("systemctl", "service", "kill", "pkill", "sv", "rc-service", "journalctl") or FileName has_any ("systemctl", "service", "kill", "pkill", "sv", "rc-service", "journalctl") | where ProcessCommandLine has_any ("journal", "journald", "systemd-journald", "systemd-journal") or FileName has_any ("journalctl", "systemctl", "service") | extend Utility = iff(FileName contains "systemctl", "systemctl", iff(FileName contains "service", "service", iff(FileName contains "journalctl", "journalctl", iff(FileName contains "pkill" or ProcessCommandLine has "pkill", "pkill", iff(FileName contains "kill" or ProcessCommandLine has "kill", "kill", iff(FileName contains "sv", "sv", iff(FileName contains "rc-service", "rc-service", FileName))))))) | extend Matches = strcat("Cmd:", ProcessCommandLine) | where ProcessCommandLine has_any ("stop", "disable", "mask", "--set-log-level", "--rotate", "--vacuum", "--unit", "--no-block") or ProcessCommandLine has "-9" or ProcessCommandLine has "SIG" | project TimeGenerated, DeviceName, AccountName, AccountDomain, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, Utility, Matches, ReportId | order by TimeGenerated desc | take 200

(DeviceProcessEvents | where Timestamp between (startofday(now()) - 30d .. now()) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | where (ProcessCommandLine has_cs "systemctl" and (ProcessCommandLine has "stop" or ProcessCommandLine has "disable" or ProcessCommandLine has "mask" or ProcessCommandLine has "kill")) or (ProcessCommandLine has_cs "service" and (ProcessCommandLine has "stop" or ProcessCommandLine has "disable")) or (ProcessCommandLine has_cs "journalctl" and (ProcessCommandLine has "--vacuum" or ProcessCommandLine has "--rotate" or ProcessCommandLine has "--disk-usage")) or (ProcessCommandLine has_cs "rm -f /var/log/journal" ) or (ProcessCommandLine has_cs "sed -i" and ProcessCommandLine has "journald.conf") or (ProcessCommandLine has_cs "tee /etc/systemd/journald.conf" ) | extend ActionTime = Timestamp, Utility = case( ProcessCommandLine has_cs "systemctl", "systemctl", ProcessCommandLine has_cs "service", "service", ProcessCommandLine has_cs "journalctl", "journalctl", ProcessCommandLine has_cs "sed", "sed", ProcessCommandLine has_cs "tee", "tee", ProcessCommandLine has_cs "rm -f /var/log/journal", "rm", "other") | project ActionTime, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, Utility, TimeGenerated, Timestamp ) | union ( DeviceEvents | where Timestamp between (startofday(now()) - 30d .. now()) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | where (ProcessCommandLine has_cs "systemctl" and (ProcessCommandLine has "stop" or ProcessCommandLine has "disable" or ProcessCommandLine has "mask" or ProcessCommandLine has "kill")) or (ProcessCommandLine has_cs "service" and (ProcessCommandLine has "stop" or ProcessCommandLine has "disable")) or (ProcessCommandLine has_cs "journalctl" and (ProcessCommandLine has "--vacuum" or ProcessCommandLine has "--rotate" or ProcessCommandLine has "--disk-usage")) or (ProcessCommandLine has_cs "rm -f /var/log/journal" ) or (ProcessCommandLine has_cs "sed -i" and ProcessCommandLine has "journald.conf") or (ProcessCommandLine has_cs "tee /etc/systemd/journald.conf" ) | extend ActionTime = Timestamp, Utility = case( ProcessCommandLine has_cs "systemctl", "systemctl", ProcessCommandLine has_cs "service", "service", ProcessCommandLine has_cs "journalctl", "journalctl", ProcessCommandLine has_cs "sed", "sed", ProcessCommandLine has_cs "tee", "tee", ProcessCommandLine has_cs "rm -f /var/log/journal", "rm", "other") | project ActionTime, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, Utility, TimeGenerated, Timestamp ) | sort by ActionTime desc | take 200

DeviceProcessEvents | where ( (InitiatingProcessCommandLine contains "systemctl" or InitiatingProcessCommandLine contains "service") and (InitiatingProcessCommandLine contains "journald" or InitiatingProcessCommandLine contains "systemd-journald") ) or ( (ProcessCommandLine contains "systemctl" or ProcessCommandLine contains "service") and (ProcessCommandLine contains "journald" or ProcessCommandLine contains "systemd-journald") ) | where (InitiatingProcessCommandLine contains "stop" or InitiatingProcessCommandLine contains "disable" or ProcessCommandLine contains "stop" or ProcessCommandLine contains "disable") | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath | take 100

DeviceProcessEvents | where InitiatingProcessCommandLine has_any ("systemctl","service","systemd") | where InitiatingProcessCommandLine has_any ("journald","systemd-journald") | where InitiatingProcessCommandLine has_any ("stop","disable","mask") | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessCreationTime, _ResourceId

DeviceProcessEvents | where ProcessCommandLine contains 'systemd-journald' and (ProcessCommandLine contains 'stop' or ProcessCommandLine contains 'disable') | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName | order by TimeGenerated desc

DeviceProcessEvents | where FileName == 'systemctl' and ProcessCommandLine contains 'stop' and ProcessCommandLine contains 'systemd-journald' | project TimeGenerated, DeviceName, ProcessCommandLine, FileName | order by TimeGenerated desc

DeviceProcessEvents | join kind=inner ( DeviceInfo | where OSPlatform == "Linux" | project DeviceId ) on DeviceId | where ActionType == "ProcessCreated" | where ProcessCommandLine has_any ("journald", "journalctl") | where ProcessCommandLine has_any ("disable", "stop") | project TimeGenerated, DeviceId, DeviceName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc

// --- Find the utility that stopped/disabled systemd-journald --- let stopVerbs = dynamic(["stop", "disable", "mask"]); DeviceProcessEvents | where ActionType in ("ProcessExec", "ProcessCreated") // Linux process executions | where ProcessCommandLine has "journald" // target is the journal daemon | where ProcessCommandLine has_any (stopVerbs) // command includes a stop/disable verb // Extract the executable/utility – first token before a space | extend Utility = tolower(trim(" ", tostring(split(ProcessCommandLine, " ")[0]))) | summarize EventCount = count(), sampleCommands = make_set(ProcessCommandLine, 3) by Utility | order by EventCount desc

DeviceProcessEvents | where ProcessCommandLine contains "stop" and ProcessCommandLine contains "journal" | where ProcessCommandLine contains "systemctl" or ProcessCommandLine contains "service" | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, ProcessId, InitiatingProcessAccountName | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "systemctl" and ProcessCommandLine has "stop" and ProcessCommandLine has "journald" | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc

// Find instances where the system journal (journald) was stopped or disabled on Linux hosts // Time filtering is controlled by the query time picker (start/end) let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where TimeGenerated between (startofday(ago(30d)) .. now()) // replace or remove if using time picker | where DeviceId in (linuxDevices) | where ActionType == "ProcessCreated" // Look for systemctl stop/disable commands targeting systemd-journald | where ProcessCommandLine matches regex @"systemctl\s+(stop|disable)\s+systemd-journald(\.service)?" | project TimeGenerated, DeviceName, User = InitiatingProcessAccountName, CommandLine = ProcessCommandLine