Last active
August 29, 2015 14:14
-
-
Save maraca/6f1f5d12f478f845ffec to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
type=SYSCALL msg=audit(1422400641.534:1763): arch=c000003e syscall=59 success=yes exit=0 a0=15caf68 a1=17f3908 a2=1704008 a3=7fffe0699d10 items=2 ppid=24788 pid=30307 auid=2001 uid=2001 gid=2001 euid=2001 suid=2001 fsuid=2001 egid=2001 sgid=2001 fsgid=2001 tty=pts5 ses=627 comm="ls" exe="/bin/ls" key=(null) | |
type=EXECVE msg=audit(1422400641.534:1763): argc=2 a0="ls" a1="--color=auto" | |
type=CWD msg=audit(1422400641.534:1763): cwd="/var/log" | |
type=PATH msg=audit(1422400641.534:1763): item=0 name="/bin/ls" inode=393530 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 | |
type=PATH msg=audit(1422400641.534:1763): item=1 name=(null) inode=526546 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if [type] == 'auditd' { | |
grok { | |
patterns_dir => "/etc/logstash/patterns" | |
match => [ | |
"message", "type=CWD msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): cwd=\"%{PATH:audit_cwd}\"" | |
] | |
add_field => ["audit_type", "CWD"] | |
} | |
grok { | |
patterns_dir => "/etc/logstash/patterns" | |
match => [ | |
"message", "type=EXECVE msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): argc=%{INT:audit_argc} %{GREEDYDATA:audit_execve_rest" | |
] | |
add_field => ["audit_type", "EXECVE"] | |
} | |
grok { | |
patterns_dir => "/etc/logstash/patterns" | |
match => [ | |
"message", "type=SYSCALL msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): arch=%{BASE16NUM:syscall_arch} syscall=%{INT:audit_syscall} success=%{WORD:audit_success} exit=%{INT:syscall_exitcode} a0=%{BASE16NUM:syscall_a0} a1=%{BASE16NUM:syscall_a1} a2=%{BASE16NUM:syscall_a2} a3=%{BASE16NUM:syscall_a3} items=%{INT:audit_items} ppid=%{INT:audit_ppid} pid=%{INT:audit_pid} auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} euid=%{INT:audit_euid} suid=%{INT:audit_suid} fsuid=%{INT:audit_fsuid} egid=%{INT:audit_egid} sgid=%{INT:audit_sgid} fsgid=%{INT:audit_fsgid} tty=%{WORD:audit_tty} ses=%{INT:audit_ses} comm=\"%{WORD:audit_comm}\" exe=\"%{PATH:audit_exe}\" key=(?:%{QS:audit_key}|\(null\))" | |
] | |
add_field => ["audit_type", "SYSCALL"] | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment