Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add auparse package for parsing Linux audit logs #68

Merged
merged 2 commits into from Apr 6, 2017

Conversation

Projects
None yet
2 participants
@andrewkroh
Copy link
Member

commented Mar 31, 2017

Features

  • Parse the saddr field of SOCKADDR messages to extract ipv4/6 addresses
    and unix socket paths.
  • Translate arch to human readable arch via lookup.
  • Translate syscall number to name.
  • Translate certain hex encoded values to ASCII.

There is an example in the examples directory that parses log files.

Add auparse package for parsing Linux audit logs
Features

- Parse the saddr field of SOCKADDR messages to extract ipv4/6 addresses
  and unix socket paths.
- Translate arch to human readable arch via lookup.
- Translate syscall number to name.
- Translate certain hex encoded values to ASCII.

There is an example in the examples directory that parses log files.

@andrewkroh andrewkroh added the review label Mar 31, 2017

@andrewkroh andrewkroh referenced this pull request Mar 31, 2017

Closed

Add support for receiving kernel audit messages #65

5 of 8 tasks complete
@codecov

This comment has been minimized.

Copy link

commented Mar 31, 2017

Codecov Report

Merging #68 into master will increase coverage by 0.33%.
The diff coverage is 63.71%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #68      +/-   ##
==========================================
+ Coverage   60.65%   60.99%   +0.33%     
==========================================
  Files          27       31       +4     
  Lines        2656     2984     +328     
==========================================
+ Hits         1611     1820     +209     
- Misses        805      886      +81     
- Partials      240      278      +38
Impacted Files Coverage Δ
sys/linux/auparse/auparse.go 60.36% <60.36%> (ø)
sys/linux/auparse/sockaddr.go 63.63% <63.63%> (ø)
sys/linux/auparse/zaudit_arches.go 83.33% <83.33%> (ø)
sys/linux/auparse/zaudit_msg_types.go 85.71% <85.71%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6ebbe1b...551f0a3. Read the comment docs.


// ToMapStr returns a new map containing the parsed key value pairs, the
// record_type, @timestamp, and sequence. The parsed key value pairs have
// a lower precedence than the well-known keys and will knot override them.

This comment has been minimized.

Copy link
@andrewkroh

andrewkroh Apr 3, 2017

Author Member

s/knot/not/

And describe the error key and what conditions under which it will be present in the event.

@andrewkroh

This comment has been minimized.

Copy link
Member Author

commented Apr 3, 2017

Add an ExampleParseLogLine() test function so that there is a parsed event example in the godocs.

Done

@ruflin

ruflin approved these changes Apr 6, 2017

Copy link

left a comment

LGTM. I'm starting to think if this should really be in gosigar or its own repo?

@@ -0,0 +1,113 @@
// Copyright 2017 Elasticsearch Inc.

This comment has been minimized.

Copy link
@ruflin

ruflin Apr 6, 2017

auto generated copyrights?

@ruflin ruflin merged commit 6e68f24 into elastic:master Apr 6, 2017

5 checks passed

CLA Commit author has signed the CLA
Details
codecov/patch 63.71% of diff hit (target 60.65%)
Details
codecov/project 60.99% (+0.33%) compared to 6ebbe1b
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.