This Auditd filter is used to extract out the data from the auditd logs that can be used for detecting suspicious activity on the Linux system. By using this filter, we can easily apply the elasticsearch queries. This will provide better visualization of logs data. From this filter, we can extract the following information like
- Arguments of executed commands
- Process information
- The current working directory of the user
- Files access information
- User Login attempts (Successful or Failure)
- Setuid and Setgid information
- System call failure and success
- and much more