Linux audit parser

The Linux audit parser can parse the log messages of the Linux Audit subsystem (auditd). The AxoSyslog application can separate these log messages to name-value pairs. For details on using value-pairs in AxoSyslog see Structuring macros, metadata, and other value-pairs. The following is a sample log message of auditd:

   type=SYSCALL msg=audit(1441988805.991:239): arch=c000003e syscall=59 success=yes exit=0 a0=7fe49a6d0e98 a1=7fe49a6d0e40 a2=7fe49a6d0e80 a3=2 items=2 ppid=3652 pid=3660 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="dumpe2fs" exe="/sbin/dumpe2fs" key=(null)
    type=EXECVE msg=audit(1441988805.991:239): argc=3 a0="dumpe2fs" a1="-h" a2="/dev/sda1"
    type=CWD msg=audit(1441988805.991:239):  cwd="/"
    type=PATH msg=audit(1441988805.991:239): item=0 name="/sbin/dumpe2fs" inode=137078 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
    type=PATH msg=audit(1441988805.991:239): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=5243184 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
    type=PROCTITLE msg=audit(1441988805.991:239): proctitle=64756D7065326673002D68002F6465762F73646131

Certain fields of the audit log can be encoded in hexadecimal format, for example, the arch field, or the a<number> fields in the previous example. The AxoSyslog application automatically decodes these fields (for example, the c000003e value becomes x86_64).

The AxoSyslog application extracts every field into name-value pairs. It automatically decodes the following fields:

  • name

  • proctitle

  • path

  • dir

  • comm

  • ocomm

  • data

  • old

  • new

To parse the log messages of the Linux Audit subsystem, define a parser that has the linux-audit-parser() option. By default, the parser will process the ${MESSAGE} part of the log message. To process other parts of a log message, use the template() option. You can also define the parser inline in the log path.

Declaration:

   parser parser_name {
        linux-audit-parser(
            prefix()
            template()
        );
    };

Example: Using the linux-audit-parser() parser

In the following example, the source is a log file created by auditd. Since the audit log format is not a syslog format, the syslog parser is disabled, so that AxoSyslog does not parse the message: flags(no-parse). The parser inserts “.auditd.” prefix before all extracted name-value pairs. The destination is a file, that uses the format-json template function. Every name-value pair that begins with a dot (".") character will be written to the file (dot-nv-pairs). The log line connects the source, the destination, and the parser.

   source s_auditd {
        file(/var/log/audit/audit.log flags(no-parse));
    };
    
    destination d_json {
        file(
            "/tmp/test.json"
            template("$(format-json .auditd.*)\n")
        );
    };
    
    parser p_auditd {
        linux-audit-parser (prefix(".auditd."));
    };
    
    log {
        source(s_auditd);
        parser(p_auditd);
        destination(d_json);
    };

You can also define the parser inline in the log path.

   source s_auditd {
        file(/var/log/audit/audit.log);
    };
    
    destination d_json {
        file(
            "/tmp/test.json"
            template("$(format-json .auditd.*)\n")
        );
    };
    
    log {
        source(s_auditd);
        parser {
            linux-audit-parser (prefix(".auditd."));
        };
        destination(d_json);
    };