sl1pm4t/auditd logstash

## auditd logstash
GROK PATTERN

AUDIT type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): argc=(%{NUMBER:audit_argc}) %{GREEDYDATA:audit_raw_args}


# Logstash Conf snippet

filter {

  grok {
    match => { "message" => "%{AUDIT}" }
  }

  mutate
  {
    convert   => [ "audit_argc", "integer" ]
  }

  ruby {
    code => "
    if !event['audit_argc'].nil? && event['audit_argc'] > 0 && !event['audit_raw_args'].nil?
      argc = event['audit_argc']
      raw_args = event['audit_raw_args']
      event['audit_args'] = ''

      for i in 0..(argc - 1)
        arg_key = 'a' + i.to_s

        arg_match = raw_args.match(arg_key+'=\"(.*?)\"')

        if !arg_match.nil?
          event[arg_key] = arg_match.captures[0].to_s
          event['audit_args'] = event['audit_args'] + ' ' + arg_match.captures[0].to_s
        end

      end
    end"
  }

}


# Example input line:

# type=EXECVE msg=audit(1415736961.619:352083): argc=4 a0="/bin/bash" a1="/usr/bin/tester" a2="-H" a3="cool"
	GROK PATTERN

	AUDIT type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): argc=(%{NUMBER:audit_argc}) %{GREEDYDATA:audit_raw_args}



	# Logstash Conf snippet

	filter {

	grok {
	match => { "message" => "%{AUDIT}" }
	}

	mutate
	{
	convert => [ "audit_argc", "integer" ]
	}

	ruby {
	code => "
	if !event['audit_argc'].nil? && event['audit_argc'] > 0 && !event['audit_raw_args'].nil?
	argc = event['audit_argc']
	raw_args = event['audit_raw_args']
	event['audit_args'] = ''

	for i in 0..(argc - 1)
	arg_key = 'a' + i.to_s

	arg_match = raw_args.match(arg_key+'=\"(.*?)\"')

	if !arg_match.nil?
	event[arg_key] = arg_match.captures[0].to_s
	event['audit_args'] = event['audit_args'] + ' ' + arg_match.captures[0].to_s
	end

	end
	end"
	}

	}




	# Example input line:

	# type=EXECVE msg=audit(1415736961.619:352083): argc=4 a0="/bin/bash" a1="/usr/bin/tester" a2="-H" a3="cool"