I am triying to read the output of journalctl so i have added this lines in the ossec.conf file:

<localfile>
    <log_format>journald</log_format>
    <location>all</location>
  </localfile>

  <localfile>
    <log_format>journald</log_format>
    <location>su</location>
  </localfile>

  <localfile>
    <log_format>journald</log_format>
    <location>NetworkManager</location>
  </localfile>

(just copied the following commit):
4d01278

And what i get in ossec.log is:
2024/05/13 12:35:12 ossec-logcollector(1951): INFO: Analyzing journald log: 'all'.
2024/05/13 12:35:12 ossec-logcollector(1951): INFO: Analyzing journald log: 'su'.
2024/05/13 12:35:12 ossec-logcollector(1951): INFO: Analyzing journald log: 'NetworkManager'.

2024/05/13 12:37:22 ossec-logcollector(1904): INFO: File not available, ignoring it: 'all'.
2024/05/13 12:37:22 ossec-logcollector(1904): INFO: File not available, ignoring it: 'su'.
2024/05/13 12:37:22 ossec-logcollector(1904): INFO: File not available, ignoring it: 'NetworkManager'.

Doesn't the implementation allows ossec to read directly from the output of the journalctl or do i have to create a new file and add it to the location label.

Also i have the logall option set to yes in order to see if the logs of the journald are being monitored and none of the logs i find there are from the journald.

Any help?