Hey, I was merging three event into one event, I was wondering if someone could tell me what I'm doing wrong.
input example:
type=SYSCALL msg=audit(1516094800.649:1198): arch=c000003e syscall=59 success=yes exit=0 a0=280b5 e0 a1=27f3c20 a2=280a790 a3=7fffad05f830 items=2 ppid=3989 pid=10878 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=9 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="SYSCALL_exec"
type=EXECVE msg=audit(1516094800.649:1198): argc=2 a0="ls" a1="--color=auto"
type=CWD msg=audit(1516094800.649:1198): cwd="/home/user1"
filter example:
filter {
grok {
match => { "message" => ["type=%{DATA:audit_type}\smsg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): (?<sub_message>.*)"]}
}
if [audit_type] == "SYSCALL" {
aggregate {
task_id => "%{audit_counter}"
code => "map['msg'] = event.get('sub_message')"
map_action => "create"
}
}
if [audit_type] == "EXECVE" {
aggregate {
task_id => "%{audit_counter}"
code => "map['args'] = event.get('sub_message')"
map_action => "create"
}
}
if [audit_type] == "CWD" {
aggregate {
task_id => "%{audit_counter}"
code => "map['cwd'] = event.get('sub_message');event['msg'] = map['msg']; event['args'] = map['args']; event['cwd'] = map['cwd']"
#code => "event.set('msg', map['msg']); event.set('args',map['args'])"
map_action => "create"
end_of_task => true
timeout => 60
}
}
}
i expect the output like this,but it's not working
msg =>"arch=c000003e syscall=59 success=yes exit=0 a0=280b5 e0 a1=27f3c20 a2=280a790 a3=7fffad05f830 items=2 ppid=3989 pid=10878 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=9 comm=\"ls\" exe=\"/usr/bin/ls\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"SYSCALL_exec\""
args =>"argc=2 a0=\"ls\" a1=\"--color=auto\""
cwd =>"cwd=\"/home/lp306b\""