Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extract more fields in Audit decoder #256

Merged
merged 2 commits into from
Jan 8, 2019
Merged

Extract more fields in Audit decoder #256

merged 2 commits into from
Jan 8, 2019

Conversation

albertomn86
Copy link
Contributor

Before:

**Phase 1: Completed pre-decoding.
       full event: 'type=SYSCALL msg=audit(1546956747.723:17): arch=c000003e syscall=1 success=yes exit=122732 a0=6 a1=7fd88a9c9010 a2=1df6c a3=0 items=0 ppid=763 pid=765 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)'
       timestamp: '(null)'
       hostname: 'ubuntu1710'
       program_name: '(null)'
       log: 'type=SYSCALL msg=audit(1546956747.723:17): arch=c000003e syscall=1 success=yes exit=122732 a0=6 a1=7fd88a9c9010 a2=1df6c a3=0 items=0 ppid=763 pid=765 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)'

**Phase 2: Completed decoding.
       decoder: 'auditd'
       audit.type: 'SYSCALL'
       audit.id: '17'
       audit.syscall: '1'
       audit.success: 'yes'
       audit.exit: '122732'
       audit.ppid: '763'
       audit.pid: '765'
       audit.auid: '4294967295'
       audit.uid: '0'
       audit.gid: '0'
       audit.euid: '0'
       audit.suid: '0'
       audit.fsuid: '0'
       audit.egid: '0'
       audit.sgid: '0'
       audit.fsgid: '0'
       audit.tty: '(none)'
       audit.session: '4294967295'
       audit.command: 'apparmor_parser'
       audit.exe: '/sbin/apparmor_parser'
       audit.key: 'null'

**Phase 3: Completed filtering (rules).
       Rule id: '80700'
       Level: '0'
       Description: 'Audit: messages grouped.'

After:

**Phase 1: Completed pre-decoding.
       full event: 'type=SYSCALL msg=audit(1546956747.723:17): arch=c000003e syscall=1 success=yes exit=122732 a0=6 a1=7fd88a9c9010 a2=1df6c a3=0 items=0 ppid=763 pid=765 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)'
       timestamp: '(null)'
       hostname: 'ubuntu1710'
       program_name: '(null)'
       log: 'type=SYSCALL msg=audit(1546956747.723:17): arch=c000003e syscall=1 success=yes exit=122732 a0=6 a1=7fd88a9c9010 a2=1df6c a3=0 items=0 ppid=763 pid=765 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)'

**Phase 2: Completed decoding.
       decoder: 'auditd'
       audit.type: 'SYSCALL'
       audit.id: '17'
       audit.arch: 'c000003e'
       audit.syscall: '1'
       audit.success: 'yes'
       audit.exit: '122732'
       audit.a0: '6'
       audit.a1: '7fd88a9c9010'
       audit.a2: '1df6c'
       audit.a3: '0'
       audit.items: '0'
       audit.ppid: '763'
       audit.pid: '765'
       audit.auid: '4294967295'
       audit.uid: '0'
       audit.gid: '0'
       audit.euid: '0'
       audit.suid: '0'
       audit.fsuid: '0'
       audit.egid: '0'
       audit.sgid: '0'
       audit.fsgid: '0'
       audit.tty: '(none)'
       audit.session: '4294967295'
       audit.command: 'apparmor_parser'
       audit.exe: '/sbin/apparmor_parser'
       audit.key: 'null'

**Phase 3: Completed filtering (rules).
       Rule id: '80700'
       Level: '0'
       Description: 'Audit: messages grouped.'

@vikman90 vikman90 merged commit fbbc4c2 into 3.8 Jan 8, 2019
@vikman90 vikman90 deleted the enhance-audit-decoder branch January 8, 2019 17:17
@vikman90 vikman90 mentioned this pull request Jan 8, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikman90 vikman90 vikman90 approved these changes

@jesuslinares jesuslinares Awaiting requested review from jesuslinares

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@albertomn86 @vikman90