configuring centOS audit log
I have recently setup our systems to forward the auditd logs to our sumo logic console. The issue I am having is our audit logs are pretty much un-readalbe as they are meant to be read with aureport and they show the events UIDs instead of usernames or the host they are coming from. Does anyone know how to make the auditd rules more human readable coming into Sumologic?
-
Official comment
there is a hex to decimal conversion operator https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/hexToDec
also hex to ASCII : https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/hexToAscii
Comment actions -
Auditd logs like this: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.htmlare by nature very granular - you only have IDs for most cases. You can however augment these IDs with extra data that links the IDs with, for example the user names or the group names. To get this data in the system, use a script source that runs periodically (of course you need to write a script that lists all these resources, for instance, http://askubuntu.com/questions/645236/command-to-list-all-users-with-their-uid). Then build a lookup table out of that and reference it in your auditd queries. Alternatively, just consume data by audit report tools periodically (again via a script source that calls these tools). -
I see there's a hexToAscii which is working for me now.
| parse "type=PROCTITLE msg=audit(1543971021.722:2956737): proctitle=*" as proctitle
| hexToAscii(proctitle) as Vhttps://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/hexToAscii
Please sign in to leave a comment.
Comments
4 comments