Implement filtering on individual raw audit records

threathunters-io / laurel

Transform Linux Audit logs for SIEM usage

GNU General Public License v3.0

707 stars 56 forks source link

Closed hillu closed 9 months ago

hillu commented 9 months ago

Example: Filter out events that invlove the glibc nscd socket (/var/run/nscd/socket):

filter-raw = [
    "^type=SOCKADDR (?:node=\\$*? )?msg=audit\\(\\S*?\\): saddr=01002F7661722F72756E2F6E7363642F736F636B657400"
]

Close: #190