maraca/log_sample

## log_sample
type=SYSCALL msg=audit(1422400641.534:1763): arch=c000003e syscall=59 success=yes exit=0 a0=15caf68 a1=17f3908 a2=1704008 a3=7fffe0699d10 items=2 ppid=24788 pid=30307 auid=2001 uid=2001 gid=2001 euid=2001 suid=2001 fsuid=2001 egid=2001 sgid=2001 fsgid=2001 tty=pts5 ses=627 comm="ls" exe="/bin/ls" key=(null)
type=EXECVE msg=audit(1422400641.534:1763): argc=2 a0="ls" a1="--color=auto"
type=CWD msg=audit(1422400641.534:1763):  cwd="/var/log"
type=PATH msg=audit(1422400641.534:1763): item=0 name="/bin/ls" inode=393530 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1422400641.534:1763): item=1 name=(null) inode=526546 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00

## logstash.conf
  if [type] == 'auditd' {
    grok {
      patterns_dir => "/etc/logstash/patterns"
      match => [
        "message", "type=CWD msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\):  cwd=\"%{PATH:audit_cwd}\""
      ]
      add_field => ["audit_type", "CWD"]
    }

    grok {
      patterns_dir => "/etc/logstash/patterns"
      match => [
        "message", "type=EXECVE msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): argc=%{INT:audit_argc} %{GREEDYDATA:audit_execve_rest"
      ]
      add_field => ["audit_type", "EXECVE"]
    }

    grok {
      patterns_dir => "/etc/logstash/patterns"
      match => [
        "message", "type=SYSCALL msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): arch=%{BASE16NUM:syscall_arch} syscall=%{INT:audit_syscall} success=%{WORD:audit_success} exit=%{INT:syscall_exitcode} a0=%{BASE16NUM:syscall_a0} a1=%{BASE16NUM:syscall_a1} a2=%{BASE16NUM:syscall_a2} a3=%{BASE16NUM:syscall_a3} items=%{INT:audit_items} ppid=%{INT:audit_ppid} pid=%{INT:audit_pid} auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} euid=%{INT:audit_euid} suid=%{INT:audit_suid} fsuid=%{INT:audit_fsuid} egid=%{INT:audit_egid} sgid=%{INT:audit_sgid} fsgid=%{INT:audit_fsgid} tty=%{WORD:audit_tty} ses=%{INT:audit_ses} comm=\"%{WORD:audit_comm}\" exe=\"%{PATH:audit_exe}\" key=(?:%{QS:audit_key}|\(null\))"
      ]
      add_field => ["audit_type", "SYSCALL"]
    }
  }
	type=SYSCALL msg=audit(1422400641.534:1763): arch=c000003e syscall=59 success=yes exit=0 a0=15caf68 a1=17f3908 a2=1704008 a3=7fffe0699d10 items=2 ppid=24788 pid=30307 auid=2001 uid=2001 gid=2001 euid=2001 suid=2001 fsuid=2001 egid=2001 sgid=2001 fsgid=2001 tty=pts5 ses=627 comm="ls" exe="/bin/ls" key=(null)
	type=EXECVE msg=audit(1422400641.534:1763): argc=2 a0="ls" a1="--color=auto"
	type=CWD msg=audit(1422400641.534:1763): cwd="/var/log"
	type=PATH msg=audit(1422400641.534:1763): item=0 name="/bin/ls" inode=393530 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
	type=PATH msg=audit(1422400641.534:1763): item=1 name=(null) inode=526546 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
	if [type] == 'auditd' {
	grok {
	patterns_dir => "/etc/logstash/patterns"
	match => [
	"message", "type=CWD msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): cwd=\"%{PATH:audit_cwd}\""
	]
	add_field => ["audit_type", "CWD"]
	}

	grok {
	patterns_dir => "/etc/logstash/patterns"
	match => [
	"message", "type=EXECVE msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): argc=%{INT:audit_argc} %{GREEDYDATA:audit_execve_rest"
	]
	add_field => ["audit_type", "EXECVE"]
	}

	grok {
	patterns_dir => "/etc/logstash/patterns"
	match => [
	"message", "type=SYSCALL msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): arch=%{BASE16NUM:syscall_arch} syscall=%{INT:audit_syscall} success=%{WORD:audit_success} exit=%{INT:syscall_exitcode} a0=%{BASE16NUM:syscall_a0} a1=%{BASE16NUM:syscall_a1} a2=%{BASE16NUM:syscall_a2} a3=%{BASE16NUM:syscall_a3} items=%{INT:audit_items} ppid=%{INT:audit_ppid} pid=%{INT:audit_pid} auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} euid=%{INT:audit_euid} suid=%{INT:audit_suid} fsuid=%{INT:audit_fsuid} egid=%{INT:audit_egid} sgid=%{INT:audit_sgid} fsgid=%{INT:audit_fsgid} tty=%{WORD:audit_tty} ses=%{INT:audit_ses} comm=\"%{WORD:audit_comm}\" exe=\"%{PATH:audit_exe}\" key=(?:%{QS:audit_key}\|\(null\))"
	]
	add_field => ["audit_type", "SYSCALL"]
	}
	}