Linux audit.log messages are encoded hexadeciaml. Is there a way for Sumologic to decode them so they can be useful logs inside Sumologic

Follow

Takahiro Masuda

• November 02, 2018 16:49

This ticket https://support.sumologic.com/hc/en-us/community/posts/115007965868-configuring-centOS-audit-log?input_string=Linux%20audit.log%20messages%20are%20encoded%20hexadeciaml.%20Is%20there%20a%20way%20for%20Sumologic%20to%20decode%20them%20so%20they%20can%20be%20useful%20logs%20inside%20Sumologic

references the same problem, but doesn't address the issue of having the logs in human readable format. 

Is there a way to decode the logs from hexadecimal notation into human readable format please. 

0

• Official comment

  

  Matt Sullivan

  • November 11, 2018 15:25
  • Edited

  there is a hex to decimal conversion operator https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/hexToDec

   

  also hex to ASCII : https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/hexToAscii

  Comment actions Permalink
• 

  Takahiro Masuda

  • December 05, 2018 00:56

  Thanks I got hextoAscii to work

  | parse "type=PROCTITLE msg=audit(1543971021.722:2956737): proctitle=*" as proctitle
  | hexToAscii(proctitle) as V

  0

  Comment actions Permalink

Please sign in to leave a comment.