Skip to content

Instantly share code, notes, and snippets.

@sakalajuraj
Last active May 21, 2024 13:51
Show Gist options
  • Save sakalajuraj/fdafa6dd5819e84c6204 to your computer and use it in GitHub Desktop.
Save sakalajuraj/fdafa6dd5819e84c6204 to your computer and use it in GitHub Desktop.
Logstash configuration for auditd messages received via syslog
# Content of the file /etc/logstash/conf.d/auditd.conf
# Tested on the CentOS 7 auditspd logs forwarded to logstash via rsyslog
input {
syslog {
type => AUDITD
port => xxxx
host => "xxx.xxx.xxx.xxx"
}
}
filter {
if [type] == "AUDITD" {
if [program] == "audispd" {
grok {
match => [ "message", "%{AUDITDTRIAL}%{GREEDYDATA:msg}" ]
}
grok {
match => [
"msg", "%{AUDITD_1}",
"msg", "%{AUDITD_2}",
"msg", "%{AUDITD_3}",
"msg", "%{AUDITD_4}",
"msg", "%{AUDITD_5}",
"msg", "%{AUDITD_6}",
"msg", "%{AUDITD_7}",
"msg", "%{AUDITD_8}",
"msg", "%{AUDITD_9}",
"msg", "%{AUDITD_10}",
"msg", "%{AUDITD_11}",
"msg", "%{AUDITD_12}",
"msg", "%{AUDITD_13}",
"msg", "%{AUDITD_14}",
"msg", "%{AUDITD_15}",
"msg", "%{AUDITD_16}",
"msg", "%{AUDITD_17}",
"msg", "%{AUDITD_18}",
"msg", "%{AUDITD_19}",
"msg", "%{AUDITD_20}",
"msg", "%{AUDITD_21}",
"msg", "%{AUDITD_22}",
"msg", "%{AUDITD_23}",
"msg", "%{AUDITD_24}",
"msg", "%{AUDITD_25}",
"msg", "%{AUDITD_26}"
]
}
mutate {
remove_field => [ "msg" ]
}
}
}
}
output {
if [type] == "AUDITD" {
elasticsearch {
flush_size => 2000
protocol => "transport"
cluster => "xxxxxxxx"
host => "xxx.xxx.xxx.xxx"
index => "logstash-syslog-%{+YYYY.MM.dd}"
}
}
}
# Content of the file /opt/logstash/patterns/custom
# Some improvements needed, but working
HOSTNAME2 \b(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62}))*(\.?|\b)
AUDITDTRIAL node=%{HOSTNAME2} type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\):
### USER_START, USER_END, CRED_ACQ, USER_ACCT, CRED_DISP, CRED_REFR, USER_AUTH, USER_ERR
AUDITD_1 pid=%{INT:audit_pid} uid=%{INT:audit_uid} auid=%{INT:audit_auid} ses=%{INT:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} grantors=%{DATA:audit_grantors} acct=\"(%{WORD:user}|\?)\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
### LOGIN
AUDITD_2 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid}( subj=%{DATA:audit_subject})? old-auid=%{NUMBER:audit_oldauid} auid=%{NUMBER:audit_auid} old-ses=%{NUMBER:audit_oldses} ses=%{NUMBER:audit_ses} res=%{GREEDYDATA:audit_res}
### SYSCALL
AUDITD_3 arch=%{DATA} syscall=%{NUMBER:audit_syscall} success=%{WORD:audit_success} exit=%{INT:audit_exit} a0=%{WORD:audit_a0} a1=%{WORD:audit_a1} a2=%{WORD:audit_a2} a3=%{WORD:audit_a3} items=%{INT:audit_items} ppid=%{INT:audit_ppid} pid=%{INT:audit_pid} auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} euid=%{INT:audit_euid} suid=%{INT:audit_suid} fsuid=%{INT:audit_fsuid} egid=%{INT:audit_egid} sgid=%{INT:audit_sgid} fsgid=%{INT:audit_fsgid} tty=%{DATA:audit_tty} ses=%{INT:audit_ses} comm=\"%{WORD:audit_comm}\" exe=\"%{DATA:audit_exe}\" subj=%{DATA:audit_subj} key=%{DATA:audit_key}
### NETFILTER_CFG
AUDITD_4 table=%{WORD:audit_table} family=%{INT:audit_family} entries=%{INT:audit_entries}
### CRYPTO_KEY_USER
AUDITD_5 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} kind=%{WORD:audit_kind} fp=%{DATA:audit_fp} direction=%{DATA:audit_direction} spid=%{INT:audit_spid} suid=%{INT:audit_suid}( rport=%{INT:src_port} laddr=%{IPV4:dst_ip} lport=%{INT:dst_port})?\s+exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
### AVC
AUDITD_6 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" path=\"%{DATA:audit_path}\" dev=\"%{WORD:audit_dev}\" ino=%{INT:audit_ino} scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}
AUDITD_7 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" capability=%{INT:audit_capability}\s+scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}
AUDITD_8 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" name=\"%{DATA:audit_name}\" scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}
AUDITD_25 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" name=\"%{DATA:audit_name}\" dev=\"%{WORD:audit_dev}\" ino=%{INT:audit_ino} scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{DATA:audit_tclass}
AUDITD_26 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=%{WORD:audit_comm} dest=%{INT:audit_dest}\s+scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}
### SERVICE_START, SERVICE_STOP
AUDITD_9 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\' comm=%{DATA:audit_comm} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
### CRYPTO_SESSION
AUDITD_10 pid=%{INT:audit_pid} uid=%{INT:audit_uid} auid=%{INT:audit_auid} ses=%{INT:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} direction=%{DATA:audit_direction} cipher=%{DATA:audit_cipher} ksize=%{INT:audit_ksize} mac=%{DATA:audit_mac} pfs=%{DATA:audit_pfs} spid=%{INT:audit_spid} suid=%{INT:audit_suid} rport=%{INT:src_port} laddr=%{IPV4:dst_ip} lport=%{INT:dst_port}\s+exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
### USER_LOGIN, USER_LOGOUT, USER_CHAUTHOK, ADD_USER, ADD_GROUP, USER_ERR
AUDITD_11 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} id=%{INT:audit_id} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
AUDITD_12 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} acct=\"%{DATA:user}\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
### USER_ROLE_CHANGE
AUDITD_13 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'pam: default-context=%{DATA:audit_defaultcontext} selected-context=%{DATA:audit_selectedcontext} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
### USER_CMD
AUDITD_14 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'cwd=%{DATA:audit_cwd} cmd=%{DATA:audit_cmd} terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
### USER_AVC
AUDITD_15 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \}\s+for auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} path=\"%{DATA:audit_path}\" cmdline=\"%{DATA:audit_cmdline}\" scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}\s+exe=\"%{DATA:audit_exe}\" sauid=%{INT:audit_sauid} hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal}\'
AUDITD_16 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'avc:\s+%{DATA:audit_avcmsg}\s+exe=\"%{DATA:audit_exe}\" sauid=%{INT:audit_sauid} hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal}\'
### ANOM_PROMISCUOUS
AUDITD_17 dev=%{WORD:audit_dev} prom=%{INT:audit_prom} old_prom=%{INT:audit_oldprom} auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} ses=%{INT:audit_ses}
### MAC_STATUS
AUDITD_18 enforcing=%{INT:audit_enforcing} old_enforcing=%{INT:audit_oldenforcing} auid=%{INT:audit_auid} ses=%{INT:audit_ses}
### ANON_ABEND
AUDITD_19 auid=%{NUMBER:audit_auid} uid=%{NUMBER:audit_uid} gid=%{INT:audit_gid} ses=%{INT:audit_ses}( subj=%{DATA:audit_subject})? pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" reason=\"%{DATA:audit_reason}\" sig=%{INT:audit_sig}
### USER_MGMT
AUDITD_20 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} grp=\"%{WORD:audit_id}\" acct=\"%{DATA:user}\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
### MAC_POLICY_LOADED
AUDITD_21 policy loaded auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}
### EXECVE
AUDITD_22 argc=%{INT:audit_argc} a0=\"%{DATA:audit_a0}\"%{GREEDYDATA:audit_args}
### CWD
AUDITD_23 cwd=\"%{DATA:audit_cwd}\"
### PATH
AUDITD_24 item=%{INT:audit_item} name=\"?%{DATA:audit_name}\"? inode=%{INT:audit_inode} dev=%{DATA:audit_dev} mode=%{INT:audit_mode} ouid=%{INT:audit_ouid} ogid=%{INT:audit_ogid} rdev=%{DATA:audit_rdev} obj=%{DATA:audit_obj} nametype=%{WORD:audit_nametype}
@fayak
Copy link

fayak commented Aug 4, 2021

Thank you very much for the file. I've made some modifications to handle some cases that were reported as _grokfailure on my stack

index 32bc55336..e6b78dfeb 100644
--- a/tmp/custom
+++ b/roles/elastic_stack/files/patterns/auditd
@@ -3,16 +3,16 @@
 
 HOSTNAME2 \b(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62}))*(\.?|\b)
 
-AUDITDTRIAL node=%{HOSTNAME2} type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\):
+AUDITDTRIAL type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\):
 
 ### USER_START, USER_END, CRED_ACQ, USER_ACCT, CRED_DISP, CRED_REFR, USER_AUTH, USER_ERR
 AUDITD_1 pid=%{INT:audit_pid} uid=%{INT:audit_uid} auid=%{INT:audit_auid} ses=%{INT:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} grantors=%{DATA:audit_grantors} acct=\"(%{WORD:user}|\?)\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
 
 ### LOGIN
-AUDITD_2 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid}( subj=%{DATA:audit_subject})? old-auid=%{NUMBER:audit_oldauid} auid=%{NUMBER:audit_auid} old-ses=%{NUMBER:audit_oldses} ses=%{NUMBER:audit_ses} res=%{GREEDYDATA:audit_res}
+AUDITD_2 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid}( subj=%{DATA:audit_subject})? old-auid=%{NUMBER:audit_oldauid} auid=%{NUMBER:audit_auid} (tty=%{DATA:audit_tty} )?old-ses=%{NUMBER:audit_oldses} ses=%{NUMBER:audit_ses} res=%{GREEDYDATA:audit_res}
 
 ### SYSCALL
-AUDITD_3 arch=%{DATA} syscall=%{NUMBER:audit_syscall} success=%{WORD:audit_success} exit=%{INT:audit_exit} a0=%{WORD:audit_a0} a1=%{WORD:audit_a1} a2=%{WORD:audit_a2} a3=%{WORD:audit_a3} items=%{INT:audit_items} ppid=%{INT:audit_ppid} pid=%{INT:audit_pid} auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} euid=%{INT:audit_euid} suid=%{INT:audit_suid} fsuid=%{INT:audit_fsuid} egid=%{INT:audit_egid} sgid=%{INT:audit_sgid} fsgid=%{INT:audit_fsgid} tty=%{DATA:audit_tty} ses=%{INT:audit_ses} comm=\"%{WORD:audit_comm}\" exe=\"%{DATA:audit_exe}\" subj=%{DATA:audit_subj} key=%{DATA:audit_key}
+AUDITD_3 arch=%{DATA} syscall=%{NUMBER:audit_syscall} success=%{WORD:audit_success} exit=%{INT:audit_exit} a0=%{WORD:audit_a0} a1=%{WORD:audit_a1} a2=%{WORD:audit_a2} a3=%{WORD:audit_a3} items=%{INT:audit_items} ppid=%{INT:audit_ppid} pid=%{INT:audit_pid} auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} euid=%{INT:audit_euid} suid=%{INT:audit_suid} fsuid=%{INT:audit_fsuid} egid=%{INT:audit_egid} sgid=%{INT:audit_sgid} fsgid=%{INT:audit_fsgid} tty=%{DATA:audit_tty} ses=%{INT:audit_ses} comm=(\")?%{DATA:audit_comm}(\")? exe=\"%{DATA:audit_exe}\" (subj=%{DATA:audit_subj} )?key=\"%{DATA:audit_key}\"
 
 ### NETFILTER_CFG
 AUDITD_4 table=%{WORD:audit_table} family=%{INT:audit_family} entries=%{INT:audit_entries}
@@ -28,7 +28,7 @@ AUDITD_25 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%
 AUDITD_26 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=%{WORD:audit_comm} dest=%{INT:audit_dest}\s+scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}
 
 ### SERVICE_START, SERVICE_STOP
-AUDITD_9 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\' comm=%{DATA:audit_comm} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
+AUDITD_9 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'(unit=%{DATA:audit_unit})? comm=%{DATA:audit_comm} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
 
 ### CRYPTO_SESSION
 AUDITD_10 pid=%{INT:audit_pid} uid=%{INT:audit_uid} auid=%{INT:audit_auid} ses=%{INT:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} direction=%{DATA:audit_direction} cipher=%{DATA:audit_cipher} ksize=%{INT:audit_ksize} mac=%{DATA:audit_mac} pfs=%{DATA:audit_pfs} spid=%{INT:audit_spid} suid=%{INT:audit_suid} rport=%{INT:src_port} laddr=%{IPV4:dst_ip} lport=%{INT:dst_port}\s+exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
@@ -70,4 +70,9 @@ AUDITD_22 argc=%{INT:audit_argc} a0=\"%{DATA:audit_a0}\"%{GREEDYDATA:audit_args}
 AUDITD_23 cwd=\"%{DATA:audit_cwd}\"
 
 ### PATH
-AUDITD_24 item=%{INT:audit_item} name=\"?%{DATA:audit_name}\"? inode=%{INT:audit_inode} dev=%{DATA:audit_dev} mode=%{INT:audit_mode} ouid=%{INT:audit_ouid} ogid=%{INT:audit_ogid} rdev=%{DATA:audit_rdev} obj=%{DATA:audit_obj} nametype=%{WORD:audit_nametype}
\ No newline at end of file
+AUDITD_24 item=%{INT:audit_item} name=\"?%{DATA:audit_name}\"? inode=%{INT:audit_inode} dev=%{DATA:audit_dev} mode=%{INT:audit_mode} ouid=%{INT:audit_ouid} ogid=%{INT:audit_ogid} rdev=%{DATA:audit_rdev} (obj=%{DATA:audit_obj} )?nametype=%{WORD:audit_nametype}
+AUDITD_27 item=%{INT:audit_item} name=\"?%{DATA:audit_name}\"? nametype=%{DATA:audit_nametype} cap_fp=%{DATA:audit_cap_fp} cap_fi=%{DATA:audit_cap_fi} cap_fe=%{DATA:audit_cap_fe} cap_fver=%{DATA:audit_cap_fver}
+
+
+## DAEMON_END, DAEMON_START
+AUDITD_28 op=%{DATA:audit_op} auid=%{INT:audit_auid} pid=%{NUMBER:audit_pid}( subj=%{DATA:audit_subject})? res=%{DATA:audit_res}

Needing to add

                "msg", "%{AUDITD_27}",
                "msg", "%{AUDITD_28}"

to grok filter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment