[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Remote Logging of auditd



Hi All,

 

I wanted to send this out to see if anyone has encountered this situation before and, if so, how you handled it.  We send our auditd logs to a remote central logging server.  Is there any way to decode the hex encoded fields before sending them along?  Similar to the ausearch [-i] flag which interprets the encoded value?

 

For example, the  “data” field in a USER_TTY event:

 

type=USER_TTY msg=audit(1516365981.138:13125): pid=7161 uid=0 auid=1007 ses=65 data="">

type=USER_TTY msg=audit(1516367294.919:13331): pid=7161 uid=0 auid=1007 ses=65 data="">

type=USER_TTY msg=audit(1516367648.904:13375): pid=7161 uid=0 auid=1007 ses=65 data="">

type=USER_TTY msg=audit(1516367664.832:13378): pid=7161 uid=0 auid=1007 ses=65 data="">

type=USER_TTY msg=audit(1516367715.041:13388): pid=7161 uid=0 auid=1007 ses=65 data="">

 

We have the following configured in our /etc/rsyslog.conf file:

 

:programname, isequal, "audispd" @SERVER_NAME:514

:programname, isequal, "auditd" @SERVER_NAME:514

 

^^ This, however, will send those fields in their raw format and does not decode the values.  Is it possible to natively interpret those fields before sending them to the remote server?

 

Joshua Ammons Advanced SIEM Engineer, Cybersecurity

 

 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]