Hi!
I am getting "6563686F205C226172672068657820656E636F6465645C22" where should be "echo "arg hex encoded"".
It's a problem with my configuration or it's a problem with auditd module?
P.S.: I have tested with ausearch and it shows correctly
Original auditd log:
type=EXECVE msg=audit(1669615313.901:5538): argc=3 a0="sh" a1="-c" a2=6563686F205C226172672068657820656E636F6465645C22
log.json:
{
"_index": ".ds-logs-auditd.log-default-2022.11.28-000001",
"_id": "gozUvIQBU0dAtaoQAJWa",
"_score": 1,
"fields": {
"elastic_agent.version": [
"8.5.1"
],
"host.os.name.text": [
"Ubuntu"
],
"host.hostname": [
"servidor-web-teste"
],
"host.mac": [
"08-00-27-70-61-5E"
],
"host.ip": [
"192.168.1.101",
"fe80::a00:27ff:fe70:615e"
],
"agent.type": [
"filebeat"
],
"process.executable.text": [
"sh"
],
"event.module": [
"auditd"
],
"host.os.version": [
"20.04.2 LTS (Focal Fossa)"
],
"host.os.kernel": [
"5.4.0-99-generic"
],
"host.os.name": [
"Ubuntu"
],
"agent.name": [
"servidor-web-teste"
],
"host.name": [
"servidor-web-teste"
],
"elastic_agent.snapshot": [
false
],
"event.agent_id_status": [
"auth_metadata_missing"
],
"host.id": [
"f1c86fdc6a354beab2b3464b07325c94"
],
"event.kind": [
"event"
],
"process.executable": [
"sh"
],
"host.os.type": [
"linux"
],
"process.args_count": [
3
],
"elastic_agent.id": [
"e17a78c8-2a44-4c59-9c5e-fa14c8fd3294"
],
"data_stream.namespace": [
"default"
],
"host.os.codename": [
"focal"
],
"process.args": [
"sh",
"-c",
"6563686F205C226172672068657820656E636F6465645C22"
],
"input.type": [
"log"
],
"log.offset": [
4802352
],
"data_stream.type": [
"logs"
],
"tags": [
"auditd-log"
],
"host.architecture": [
"x86_64"
],
"event.action": [
"execve"
],
"event.ingested": [
"2022-11-28T06:02:01Z"
],
"@timestamp": [
"2022-11-28T06:01:53.901Z"
],
"agent.id": [
"e17a78c8-2a44-4c59-9c5e-fa14c8fd3294"
],
"host.containerized": [
false
],
"ecs.version": [
"8.5.0"
],
"host.os.platform": [
"ubuntu"
],
"data_stream.dataset": [
"auditd.log"
],
"log.file.path": [
"/var/log/audit/audit.log"
],
"auditd.log.sequence": [
5538
],
"agent.ephemeral_id": [
"54140a4f-4010-4a61-a7dc-33b0088979b8"
],
"agent.version": [
"8.5.1"
],
"host.os.family": [
"debian"
],
"event.dataset": [
"auditd.log"
]
}
}