Feature request: Laurel for auditd

[zbalkan]

"LAUREL is an event post-processing plugin for auditd(8) to improve its usability in modern security monitoring setups", according to the project README. It has many capabilities for correlating the auditd logs in a performant way. Instead of using auditd_decoders.xml + logstash enrichment to provide similar capabilities would probably be not performant enough and also may not reach the same results.

In my email, I proposed if LAUREL + Wazuh scenario has ever been tried and requested for comments.

I was responded that that setup might work and I'd better create an issue for a feature request. However, I do not know how LAUREL can be integrated. Would that be included on the agent, which makes sense on performance level but it is against the Wazuh architecture. Or, its internal processing can be considered as an extension to auditd decoding. Of course, it's just my assumptions. YMMW.

[zbalkan]

In current scenario, using Laurel requires reading /var/log/laurel/audit.log using json decoder. But there is no rule that matches laurel generated auditd logs. I started implementing them but failed to translate auditd rules to laurel rules. So I had to rollback. I wish wazuh can provide auditd logs as much information as Laurel can do.