Created
January 24, 2016 09:19
-
-
Save urykhy/e25cd128251e53a080ac to your computer and use it in GitHub Desktop.
fluentd + auditd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <source> | |
| type tcp | |
| port 9881 | |
| tag audit | |
| time_format %s | |
| format /(^type=AVC msg=audit\((?<time>\w+).*: apparmor=\"(?<resolution>\w+)\" operation=\"(?<operation>\w+)\"( profile=\"(?<profile>[^ ]+)\"){0,1}( name=\"(?<name>[^ ]+)\"){0,1} pid=(?<pid>\d+) comm=\"{0,1}(?<comm>[^ ]+)\"{0,1}( requested_mask=\"(?<requested_mask>\w+)\" denied_mask=\"(?<denied_mask>\w+)\" fsuid=(?<fsuid>\d+))?|^type=(?<type>\w+) msg=audit\((?<time>\w+).*: pid=(?<pid>\d+) uid=(?<uid>\d+) .* msg='(?<message>.*)'|type=NETFILTER_CFG msg=audit\((?<time>\w+).*: table=(?<table>[^ ]+) family=(?<family>\d+) entries=(?<entries>\d+)|type=ANOM_PROMISCUOUS msg=audit\((?<time>\w+).*: dev=(?<device>[^ ]+) prom=(?<prom>\d+) old_prom=(?<old_prom>\d+).*)|type=DAEMON\w+ msg=audit\((?<time>\w+).*: (?<message>.*)|type=CONFIG_CHANGE msg=audit\((?<time>\w+).*: (?<message>.*)/ | |
| </source> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment