Coder Social home page Coder Social logo

logstash-auditd's Introduction

logstash-auditd

Logstash/grok filter for parsing auditd event logs and display it on the official module dashboard. Elasticsearch docs seems to have example filters for all the other filebeat modules except this one.

Made with Logstash 5.4, tested on CentOS 6. Might not work properly, feel free to contribute.

In order to get exec events logged we need to ensure that the following exists in /etc/audit/audit.rules.

-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

The filters are in the following order of record_type processing groups

DAEMON_START
LOGIN
USER_LOGIN
EXECVE
SYSCALL
CRED_ACQ USER_CMD USER_START USER_ACCT USER_END
CWD PATH BPRM_FCAPS (pretty generic, probably will match everything else)

Enjoy!

logstash-auditd's People

Contributors

gurucleff avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

songxiaohuar

logstash-auditd's Issues

GeoIP Mapping Fix

Still learning the ins and outs of Github and not sure how to pull/fix your repo. Thanks for the snippit as I've spent most the day trying to figure out this and yours almost worked out of the box. The only thing broke in yours was the geolocation and that was just missing a small piece.

Yours:

	geoip {
		source => "[auditd][log][addr]"
		target => "[auditd][geoip]"
	}

Should be:

	geoip {
		source => "[auditd][log][addr]"
		target => "[auditd][log][geoip]"
	}

As soon as I added [log] it worked! Thanks again.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.