[auditd]: ENRICHED ascii character separation not working

[nicholasberlin]

Integration Name

Auditd Logs [auditd]

Dataset Name

auditd.log

Integration Version

3.20.0

Agent Version

8.15.0

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.0

OS Version and Architecture

Linux

Software/API Version

No response

Error Message

No response

Event Original

No response

What did you do?

default configuration

What did you see?

The following auditd message is not being properly parsed.

[
  {
    "_index": "index",
    "_id": "id",
    "_source": {
      "event": {
        "original": "node=praorem001 type=SYSCALL msg=audit(1723109482.048:4981103): arch=c000003e syscall=87 success=yes exit=0 a0=7f1118081d10 a1=7f1118081d10 a2=242 a3=180 items=2 ppid=560201 pid=560348 auid=1561577791 uid=2012 gid=2007 euid=2012 suid=2012 fsuid=2012 egid=2007 sgid=2007 fsgid=2007 tty=(none) ses=126 comm=\"httpd\" exe=\"/app/ogc101/app/dllogc/product/13.5.0/mw_100/ohs/bin/httpd\" key=\"delete\"\u001dARCH=x86_64 SYSCALL=unlink AUID=\"na-uoradbdba03\" UID=\"dllogc\" GID=\"oinstall\" EUID=\"dllogc\" SUID=\"dllogc\" FSUID=\"dllogc\" EGID=\"oinstall\" SGID=\"oinstall\" FSGID=\"oinstall\""
      }
    }
  }
]

results in

              "key": "delete\"\u001dARCH=x86_64",

What did you expect to see?

Expected:

 "key": "delete\",
 "ARCH": "x86_64",

Anything else?

No response

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

[LaZyDK]

We see this error a lot. Looking forward to a fix.

[Tacklebox]

10333 is the tracking issue for this (and some other related) problems. I am currently working on a fix for the ingest pipeline for this integration. In the long term, I plan on bringing in the full go parser from https://github.com/elastic/go-libaudit to ship pre-parsed audit logs directly from the beat.