gdestuynder
commented
5 years ago currently its using the first field as the "process that is sending events" and the second (details.processname) as the process logged by auditd
is that incorrect for mozdef?
When trying to parse multi-line events such as the one below with fluentd the fieldname of "processname" becomes a problem because they exist in both the top level and lower level with different values. Can we rename one of them to be more explanatory? Like maybe the audisp one could be "program" while the "processname" in details remains?
{ "category": "socket", "summary": "Socket", "severity": "INFO", "hostname": "ip-172-31-23-75.us-west-2.compute.internal", "processid": "0", "processname": "audisp-json", "timestamp": "2019-04-04T13:18:23+0000", "tags": [ "audisp-json", "2.2.4", "audit" ], "details": { "auditserial": "121", "session": "4294967295", "fsgid": "0", "sgid": "0", "egid": "0", "fsuid": "0", "suid": "0", "euid": "0", "gid": "0", "pid": "297", "process": "/sbin/auditctl", "tty": "(none)", "uid": "0", "user": "root", "originaluid": "4294967295", "auditkey": "net", "protocol": "9", "type": "3", "domain": "10", "processname": "auditctl", "auditserial": "121" }