Thank you to the Log2timeline and Timesketch teams for putting out some solid work. I am thankful that I have the opportunity to create this write up, which comes on the back of their hard work. While there may be holes in their documentation and descriptions, the code is well written and fairly easy to understand. Any criticism should not be interpretted as a reflection of the quality of their work.
You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log
and all sub folders
sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log