diyan/auditd_log_parser.pl

## auditd_log_parser.pl
# nxlog script that converts uid, gid into username and group name

#$id  = getpwnam($name);
#$name = getpwuid($num);
#$name = getpwent();
#$gid = getgrnam($name);
#$name = getgrgid($num;
#$name = getgrent();

my %user_names = ();

# Get $log_message value from Nxlog API
my $log_message = "type=SYSCALL msg=audit(1383648649.052:13644): arch=c000003e syscall=59 success=yes exit=0 a0=20f12e0 a1=7fff03cd60c0 a2=20f1310 a3=7fff03cd7ee0 items=2 ppid=835 pid=17726 auid=33";
$log_message =~ /auid=(?<auid>\d+)/;
my $user_id = $+{auid};
my $user_name = $user_names{$user_id};

if (!$user_name) {
    print "user not found\n";
    $user_name = getpwuid($user_id);
    $user_names{$user_id} = $user_name;
}

# Iterate over the fields
#foreach my $field_name ( @{Log::Nxlog::field_names($event)} ) {
#    print "Nxlog field_name", $field_name, "\n";
#}

if ($user_name) {
    print "user found - ", $user_name, "\n";
}
else {
    print "user not found\n";
}
	# nxlog script that converts uid, gid into username and group name

	#$id = getpwnam($name);
	#$name = getpwuid($num);
	#$name = getpwent();
	#$gid = getgrnam($name);
	#$name = getgrgid($num;
	#$name = getgrent();

	my %user_names = ();

	# Get $log_message value from Nxlog API
	my $log_message = "type=SYSCALL msg=audit(1383648649.052:13644): arch=c000003e syscall=59 success=yes exit=0 a0=20f12e0 a1=7fff03cd60c0 a2=20f1310 a3=7fff03cd7ee0 items=2 ppid=835 pid=17726 auid=33";
	$log_message =~ /auid=(?<auid>\d+)/;
	my $user_id = $+{auid};
	my $user_name = $user_names{$user_id};

	if (!$user_name) {
	print "user not found\n";
	$user_name = getpwuid($user_id);
	$user_names{$user_id} = $user_name;
	}

	# Iterate over the fields
	#foreach my $field_name ( @{Log::Nxlog::field_names($event)} ) {
	# print "Nxlog field_name", $field_name, "\n";
	#}

	if ($user_name) {
	print "user found - ", $user_name, "\n";
	}
	else {
	print "user not found\n";
	}