New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New linux-audit() source as SCL #2186
Conversation
Build SUCCESS |
scl/linux-audit/linux-audit.conf
Outdated
channel { | ||
source { file("`filename`" flags(no-parse)`__VARARGS__`); }; | ||
parser { linux-audit-parser (prefix("`prefix`")); }; | ||
parser { kv-parser (template("${`prefix`msg}") prefix("`prefix`msg.")); }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the purpose of this key in the message, and who sets it?
`prefix`msg
I quickly ran through the linux-audit-parser documentation, but I do not see linux-audit-parser sets such key (maybe I overlook something?). This should always be empty in my opinion.
What is the purpose of the call to kv-parser?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is where most of the content of the audit.log message is stored after parsing. And everything inside are key-value pairs. That's why after the linux-audit parser the kv-parser is also used.
Example:
type=CRED_REFR msg=audit(1531902380.657:125): pid=1982 uid=0 auid=0 ses=1 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/sbin/sshd" hostname=172.16.167.1 addr=172.16.167.1 terminal=ssh res=success'
Is turned into:
{"test":{"uid":"0","type":"CRED_REFR","ses":"1","pid":"1982","msg":{"terminal":"ssh","res":"success","op":"PAM:setcred","hostname":"172.16.167.1","grantors":"pam_unix","exe":"/usr/sbin/sshd","addr":"172.16.167.1","acct":"root"},"auid":"0"},"SOURCE":"s_auditd","PRIORITY":"notice","MESSAGE":"type=CRED_REFR msg=audit(1531902380.657:125): pid=1982 uid=0 auid=0 ses=1 msg='op=PAM:setcred grantors=pam_unix acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=172.16.167.1 addr=172.16.167.1 terminal=ssh res=success'","ISODATE":"2018-07-18T10:26:21+02:00","HOST_FROM":"centos7","HOST":"centos7","FILE_NAME":"/var/log/audit/audit.log","FACILITY":"user"}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for explanation, I understand now. prefix
msg is set by linux-audit-parser
scl/linux-audit/linux-audit.conf
Outdated
|
||
block source linux-audit(filename("/var/log/audit/audit.log") prefix(".auditd.") ...) { | ||
channel { | ||
source { file("`filename`" flags(no-parse)`__VARARGS__`); }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a space before __VARARGS__
?
Add a new SCL: linux-audit() source. It reads and automatically parses the Linux audit logs. You can override the file name using the filename() parameter and the prefix for the created name-value pairs using the prefix() parameter. Any additional parameters are passed to the file source. Example: source s_auditd { linux-audit( prefix("test.") hook-commands( startup("auditctl -w /etc/ -p wa") shutdown("auditctl -W /etc/ -p wa") ) ); }; Signed-off-by: Peter Czanik <peter@czanik.hu>
Build SUCCESS |
Build SUCCESS |
Add a new SCL: linux-audit() source. It reads and automatically
parses the Linux audit logs. You can override the file name using
the filename() parameter and the prefix for the created
name-value pairs using the prefix() parameter. Any additional
parameters are passed to the file source.
Example:
Signed-off-by: Peter Czanik peter@czanik.hu