Auditd 日志使用 logstash 过滤器插件进行解析。但是我还需要parse和convert msg字段内容(
msg=audit(1678949471.038:9696): id_field=1678949471.038:9696
1678949471.038 => 16.03.2023 9:51:11.038 AM
date_filed=16.03.2023 9:51:11.038 AM
我的 logstash 管道分享如下:
input {
beats {
port => 5044
type => "audit"
}
}
filter {
grok {
match => { "message" => "type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): success=%{WORD:audit_success} pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_audid} ses=%{NUMBER:ses} acct=\"%{WORD:acct_user}\" exe=\"%{GREEDYDATA:exec}\" SYSCALL=%{WORD:syscall_name} syscall=%{NUMBER:syscall_number} nametype=%{WORD:nametype} name=\"%{GREEDYDATA:path_name}\" inode=%{NUMBER:inode}"}
named_captures_only => true
}
kv {
include_keys => ["type","pid","ppid","exe","msg","uid","gid","UID","GID","comm","items","inode","name", "nametype"]
}
}
output {
elasticsearch {
hosts => ["http://host-ip:9200"]
index => "samba-%{[@metadata][version]}"
action => "create"
}
}