Open h-adwan opened 12 months ago
this is the file i was trying to parse
Since auditd log format isn't optimal when it comes to correlation and visibility (especially in a SIEM), would it be a possibility to parse the logs using Laurel?
This will generate and enrich aggregated events instead of multiple records per event
Note that we do use a library to reassemble the audit logs into something usable: https://github.com/elastic/go-libaudit
I dont know it if is the best library but should work reasonably - if not we can file an issue upstream. Of course it is possible that reassembly is not possible because a message is dropped. As you say auditd is pretty terrible for visibility.
We can not use the library you pointed to because it is written in Rust and we need Go.
I'm encountering difficulties parsing auditd logs in Linux when using the audit rules provided by Florian's GitHub repository (https://github.com/Neo23x0/auditd/blob/master/audit.rules).
Not all of the logs are being displayed or parsed correctly. I'm specifically interested in finding logs where type column is =~ "EXECVE" or "PATH" within the audit log file I'm parsing. These types of logs are present in the log file, but they are not presented in the results after parsing.