Fluentd Filter Plugin to parse linux's audit log.
Add this line to your application's Gemfile:
gem 'fluent-plugin-filter-dgi-audit-log'
And then execute:
$ bundle
Or install it yourself as:
$ gem install fluent-plugin-filter-dgi-audit-log
@type parse_audit_log
#key message
#flatten false
<source>
@type forward
</source>
<filter audit.log>
@type parse_audit_log
</filter>
<match audit.log>
@type stdout
</match>
echo '{"message":"type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm=\"cat\" exe=\"/bin/cat\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"sshd_config\""}' \
| fluent-cat -t audit.log
{
"header": {
"type": "SYSCALL",
"msg": "audit(1364481363.243:24287)"
},
"body": {
"arch": "c000003e",
"syscall": "2",
"success": "no",
"exit": "-13",
"a0": "7fffd19c5592",
"a1": "0",
"a2": "7fffd19c4b50",
"a3": "a",
"items": "1",
"ppid": "2686",
"pid": "3538",
"auid": "500",
"uid": "500",
"gid": "500",
"euid": "500",
"suid": "500",
"fsuid": "500",
"egid": "500",
"sgid": "500",
"fsgid": "500",
"tty": "pts0",
"ses": "1",
"comm": "\"cat\"",
"exe": "\"/bin/cat\"",
"subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
"key": "\"sshd_config\""
}
}