Audit log processing and analyzing

[paseaf]

Problem

Currently, we have to manually download the audit log data and decode it via a CLI tool.

Goal

We want to simplify this process with some tool, so that we can easily check the decoded audit log when running the honeypot.

Interesting information we want:

1. meta data analysis: find attacker's ip locations, time, username, etc.
2. attack activities: find detailed activities per attack

Relevant readings

Audit Decoder CLI tool: (maybe good enough for bash scripts?) https://github.com/ContainerSSH/ContainerSSH/releases/tag/v0.4.1 Could also use some JSON converter utility

Understanding SSH https://containerssh.io/development/containerssh/ssh/ Janos: read it, otherwise that audit log will get very confusing.

[paseaf]

Possible steps:(moved to issue description) ~~1. download/sync audit logs from MinIO to local machine

2. decode all audit logs (challenge: how to make it fast for large amount of files?)
3. transform decoded logs into some readable format (for example, csv, diagram, ...)
4. analyze and maybe redo step 3 to facilitate analysis~~

[paseaf]

We have already over 10 GiB of data on MinIO.

Do we really want/need to download everything?