The Linux agent only captures journald.

### Acknowledgements

- [x] I have searched (https://github.com/utmstack/UTMStack/issues) for past instances of this issue
- [x] I have verified that my UTMStack version is up-to-date

### Describe the bug

The Linux agent only collects logs via journalctl -f -o json, missing critical security events that require auditd.

### Regression Issue

- [ ] Select this option if this issue appears to be a regression.

### Expected Behavior

The Linux agent should have comprehensive log collection.

### Current Behavior

N/A

### Reproduction Steps

1. Install UTMStack agent on Debian/Ubuntu server
2. Run any command: whoami, cat /etc/passwd, chattr +i file
3. Check SIEM logs for the command → Not captured

### Possible Solution

Add native auditd collector to the agent.

### Additional Information/Context

_No response_

### UTMStack Version

v11

### Operating System and version

Ubuntu

### Hypervisor and Version | Server Vendor and Model

n/a

### Browser and version

na

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The Linux agent only captures journald. #1956

Acknowledgements

Describe the bug

Regression Issue

Expected Behavior

Current Behavior

Reproduction Steps

Possible Solution

Additional Information/Context

UTMStack Version

Operating System and version

Hypervisor and Version | Server Vendor and Model

Browser and version

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

The Linux agent only captures journald. #1956

Description

Acknowledgements

Describe the bug

Regression Issue

Expected Behavior

Current Behavior

Reproduction Steps

Possible Solution

Additional Information/Context

UTMStack Version

Operating System and version

Hypervisor and Version | Server Vendor and Model

Browser and version

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions