search

threathunters-io / laurel

Transform Linux Audit logs for SIEM usage
GNU General Public License v3.0
688 stars 56 forks source link

hostname translated to numbers in v0.6.0 #210

Closed RomainPisters closed 5 months ago

RomainPisters commented 5 months ago

auditd version: audit-3.0.7-104.el9.x86_64 laurel version: v0.6.0 os version: rocky linux 9.3

I've set name_format to hostname in auditd.conf and I can see my hostname 'purpleteam-rocky' is added to the auditd logs. When I checked laurel instead of the hostname I found the 'NODE' key to contain 16 digits instead of my hostname (which is also 16 characters).

I've tried running laurel v0.5.6 instead of v0.6.0 and it works for that version so it appears that something was changed in the latest release.

Here's a snippet when running laurel v0.5.6:

{
  "ID": "1710510174.216:12513",
  "NODE": "purpleteam-rocky",
  <snip>
}

And this is v0.6.0:

{
  "ID": "1710510304.527:15813",
  "NODE": [112,117,114,112,108,101,116,101,97,109,45,114,111,99,107,121],
  <snip>
}

And for reference a snippet of the actual auditd log:

[root@purpleteam-rocky ~]# tail -n 2 /var/log/audit/audit.log
node=purpleteam-rocky type=PATH msg=audit(1710510768.580:15936): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=1506 dev=103:05 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
node=purpleteam-rocky type=PROCTITLE msg=audit(1710510768.580:15936): proctitle=7461696C002D6E0032002F7661722F6C6F672F61756469742F61756469742E6C6F67

I've tried doing the translating in laurel instead of using 'log_format = ENRICHED' but that doesn't make any difference.

hillu commented 5 months ago

Good catch! I suppose this warrants a bugfix release.