Discussion:
Remote Logging of auditd
(too old to reply)
Joshua Ammons
2018-01-19 14:51:18 UTC
Permalink
Hi All,

I wanted to send this out to see if anyone has encountered this situation before and, if so, how you handled it. We send our auditd logs to a remote central logging server. Is there any way to decode the hex encoded fields before sending them along? Similar to the ausearch [-i] flag which interprets the encoded value?

For example, the "data" field in a USER_TTY event:

type=USER_TTY msg=audit(1516365981.138:13125): pid=7161 uid=0 auid=1007 ses=65 data=73657276696365206175646974642073746F70
type=USER_TTY msg=audit(1516367294.919:13331): pid=7161 uid=0 auid=1007 ses=65 data=73797374656D63746C2073746F7020617564697464
type=USER_TTY msg=audit(1516367648.904:13375): pid=7161 uid=0 auid=1007 ses=65 data=6964206A6F7368616D6D6F6E73
type=USER_TTY msg=audit(1516367664.832:13378): pid=7161 uid=0 auid=1007 ses=65 data=636174202F6574632F706173737764207C2067726570206A6F7368616D6D6F6E73
type=USER_TTY msg=audit(1516367715.041:13388): pid=7161 uid=0 auid=1007 ses=65 data=636174202F7661722F6C6F672F61756469742F61756469742E6C6F67207C20677265702022555345525F54545922

We have the following configured in our /etc/rsyslog.conf file:

:programname, isequal, "audispd" @SERVER_NAME:514
:programname, isequal, "auditd" @SERVER_NAME:514

^^ This, however, will send those fields in their raw format and does not decode the values. Is it possible to natively interpret those fields before sending them to the remote server?

Joshua Ammons Advanced SIEM Engineer, Cybersecurity
LC Bruzenak
2018-01-22 17:55:59 UTC
Permalink
Post by Joshua Ammons
Hi All,
I wanted to send this out to see if anyone has encountered this
situation before and, if so, how you handled it. We send our auditd
logs to a remote central logging server. Is there any way to decode
the hex encoded fields before sending them along? Similar to the
ausearch [-i] flag which interprets the encoded value?
type=USER_TTY msg=audit(1516365981.138:13125): pid=7161 uid=0
auid=1007 ses=65 data=73657276696365206175646974642073746F70
type=USER_TTY msg=audit(1516367294.919:13331): pid=7161 uid=0
auid=1007 ses=65 data=73797374656D63746C2073746F7020617564697464
type=USER_TTY msg=audit(1516367648.904:13375): pid=7161 uid=0
auid=1007 ses=65 data=6964206A6F7368616D6D6F6E73
type=USER_TTY msg=audit(1516367664.832:13378): pid=7161 uid=0
auid=1007 ses=65
data=636174202F6574632F706173737764207C2067726570206A6F7368616D6D6F6E73
type=USER_TTY msg=audit(1516367715.041:13388): pid=7161 uid=0
auid=1007 ses=65
data=636174202F7661722F6C6F672F61756469742F61756469742E6C6F67207C20677265702022555345525F54545922
^^ This, however, will send those fields in their raw format and does
not decode the values. Is it possible to natively interpret those
fields before sending them to the remote server?
Joshua,

What audit version are you using?
LCB
--
LC (Lenny) Bruzenak
***@magitekltd.com
Loading...