Open 7czl opened 1 day ago
Duplicated of https://github.com/vectordotdev/vrl/issues/66 (that repository should be used instead for VRL-related feature request).
I'm currently working on it in https://github.com/vectordotdev/vrl/pull/1010. That PR was blocked until recently due to a licensing discussion that recently got resolved https://github.com/hillu/linux-audit-parser-rs/issues/1#issuecomment-2386577606. If I find enough time these weeks I may work on this.
As a workaround meanwhile, maybe you can use https://github.com/vectordotdev/vrl/issues/66#issuecomment-1584066151.
However, it would be very useful for me to have more parsing thoughts in https://github.com/vectordotdev/vrl/issues/66 and to know how would you prefer the parsing to look like. For example, we have doubts about https://github.com/vectordotdev/vrl/pull/1010#discussion_r1746324070.
Thank you very much for the request though :)
Although, it would be interesting to add a decoding.codec=auditd
to vector's sources after it is done in VRL, the implementation would be very similar and in simple cases it would be more efficient to use a codec than a remap transform
@jszwedko is this interesting enough to create a tracking issue for it? I could address it after my VRL PR
A note for the community
Use Cases Using vector gathering the local security logs(/var/log/secure, /var/log/message, /var/log/sudo.log ....etc) to kafka and export logs from kafka to opensearch.
I tried to parse the logs generated by auditd which stored in /var/log/audit/audit.log like the format below. I tried parse_* functions listed in the document but all failed.
type=CRED_ACQ msg=audit(1729236001.971:1172784): pid=10824 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Attempted Solutions I have tried parse* family function to parse logs generate by auditd but failed. https://vector.dev/docs/reference/vrl/functions/#parse-functions Currently struggling on using parse_regex to extract useful field from the log. Would you please add a function to parse the logs generated by auditd?
No response Proposal
No response References
No response Version
No response