How to match and assign fields to a dynamic number of key values of the same name


(Ryan Clark) #1

In the auditd event below, there are two path names that need to be captured (name="/tmp" and name="file"). There could be multiple entries for the path name depending on the path accessed. I need to be able to dynamically pull these path names into a field or fields to get the full path for the event. How would I build a grok match for this?

What I have so far that only gets one path is:

grok {
match => { "message" => ".*syscall=%{WORD:access_type}.*auid=%{USERNAME:ANAME} uid=%{USERNAME:UNAME}.name=%{DATA:path}.%{GREEDYDATA}" }
}

Event String:
type=SYSCALL msg=audit(1316210542.899:779): arch=c000003e syscall=263 success=yes exit=0 a0=3 a1=400690 a2=0 a3=0 items=2 ppid=32106 pid=32121 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts12 ses=36 comm="unlinkat" exe="/tmp/unlinkat" key=(null) type=CWD msg=audit(1316210542.899:779): cwd="/tmp" type=PATH msg=audit(1316210542.899:779): item=0 name="/tmp" inode=58781 dev=00:0e mode=040755 ouid=1000 ogid=1000 rdev=00:00 type=PATH msg=audit(1316210542.899:779): item=1 name="file" inode=56228 dev=00:0e mode=0100644 ouid=1000 ogid=1000 rdev=00:00 type=EOE msg=audit(1316210542.899:779):


(Christian Dahlqvist) #2

Have you tried using the kv filter?


(Ryan Clark) #3

I'm aware of kv but havn't tried it because I would end up with a lot of fields I don't care for. I guess I could always remove them. If there is not a dynamic way to do this in a grok match then I'll go that route.


(Christian Dahlqvist) #4

The kv filter will handle the fields no matter in which order they come, so is quite flexible.


(Ryan Clark) #5

I did have to remove about 30+ fields that weren't needed but using kv seems to work. Thanks


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.