Audit log fields

Hi, I have a set of audit call events, Example:

type=SYSCALL msg=audit(1647800652.003:104): arch=c00000b7 syscall=221 success=yes exit=0 a0=ffff96c3a518 a1=ffffe65a32e8 a2=ffffe65a3c78 a3=8 items=0 ppid=5916 pid=7997 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/sh" subj=system_u:system_r:atf_agent_t key=(null)
type=PROCTITLE msg=audit(1647800652.003:104): proctitle=7368002D630069707461626C6573202D4920494E505554202D7020746370202D2D64657374696E6174696F6E2D706F72742038343030202D6A20414343455054
type=AVC msg=audit(1647800652.007:105): avc:  denied  { getattr } for  pid=7997 comm="sh" path="/" dev="sda3" ino=2 scontext=system_u:system_r:atf_agent_t tcontext=system_u:object_r:default_t tclass=dir permissive=1

The filter of my logstash conf file is

filter {
  if [type] == "audit" {
  grok {
    match => { "message" => "type=%{DATA:audit_type}\smsg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\):.*?( msg=\'(?<sub_msg>.*?)\')?$" }
    named_captures_only => true
  kv {
    exclude_keys => [ "msg", "type" ]
  kv {
    source => "sub_msg"
  date {
    match => [ "audit_epoch", "UNIX" ]
  mutate {
    rename => [
      "auid", "uid_audit",
      "fsuid", "uid_fs",
      "suid", "uid_set",
      "ses", "session_id"
    remove_field => ['sub_msg', 'audit_epoch']

For the type = AVC log messages i get the following fields -

However for this, I want to add another field called "Action" that will contain the value present in the curly brackets.
In this case that would be getattr.
Need help in figuring out how to update the filter to do so.
help will be appreciated,
Thanks in advace

You could add

grok { match => { "message" => "{ %{WORD:someField} }" } tag_on_failure => [] }

that works, thank you so much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.