[Auditd Logs] Support ENRICHED log format

[jamiehynds]

RHEL 8 has changed default value of log_format to ENRICHED - it was RAW in RHEL 7 by default. Our integration does not parse the Enriched format natively.

Sample events that fail to parse using our integration:

type=SOCKADDR msg=audit(1666825569.818:23260118): saddr=02000000000000000000000000000000�SADDR={ saddr_fam=inet laddr=0.0.0.0 lport=0 }
type=SOCKADDR msg=audit(1666825569.435:23260106): saddr=0A00DE990000000000000000000000000000FFFF3A6C48DE00000000�SADDR={ saddr_fam=inet6 laddr=::ffff:58.108.72.222 lport=56985 }
type=SOCKADDR msg=audit(1666825568.865:23260105): saddr=0100�SADDR={ saddr_fam=local sockaddr len too short }

Error message:

"message": "field [auditd.log.kv] does not contain value_split [=]"

It looks like there are several issues here:

• There is a unicode group separator (\u001d) after a normal list of kv pairs
• The ENRICHED format adds the 0x1D as a separator between the raw audit data from the kernel and the enriched data from the auditd daemon.
• Following the group separator, there is a nested group of kv pairs inside {} with additional spaces
• Some of the values within the nested kv pairing group contain spaces within the value

User provided a GROK pattern which seems be working for them:

"grok": {
"field": "event.original",
"pattern_definitions": {
"AUDIT_TYPE": "type=%{NOTSPACE:auditd.log.record_type}",
"AUDIT_NODE": "node=%{IPORHOST:auditd.log.node} ",
"AUDIT_PREFIX": "^(?:%{AUDIT_NODE})?%{AUDIT_TYPE} msg=audit[\\(%{NUMBER](file://%28%25%7Bnumber/):auditd.log.epoch}:%{NUMBER:auditd.log.sequence}[\\)](file://%29/):(%{DATA})?",
"AUDIT_KEY_VALUES": "%{WORD}=%{GREEDYDATA}",
"ANY": ".*"
},
"patterns": [
"%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} old auid=%{NUMBER:auditd.log.old_auid} new auid=%{NUMBER:auditd.log.new_auid} old ses=%{NUMBER:auditd.log.old_ses} new ses=%{NUMBER:auditd.log.new_ses}",
"%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} msg=['\"]([^=]*[\\s)](file://s%29/)?%{ANY:auditd.log.sub_kv}['\"]",
"%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv}.SADDR={ %{AUDIT_KEY_VALUES:auditd.log.sub_kv} }",
"%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv}",
"%{AUDIT_PREFIX}",
"%{AUDIT_TYPE} %{AUDIT_KEY_VALUES:auditd.log.kv}"
]

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)