deeshu
(Deepak Shukla)
March 11, 2020, 2:18pm
1
Hi experts,
I am trying to parse some events from Auditd, the values have been extracted but the commands executed are coming in hexadecimal format.
Can anyone help how to convert it to ASCII in a logstash pipeline.
Below is the sample logs and logic I am using to convert but no joy
type=PROCTITLE msg=audit(1583935996.510:284168): proctitle=2F7573722F7362696E2F6E747064002D70002F7661722F72756E2F6E74702F6E7470642E706964002D67002D75006E74703A6E7470002D63002F6574632F6E74702E636F6E66
if [message] =~ "PROCTITLE" {
ruby { code => "event.set('[auditd][log][proctitle]',event.get('[audit][log][proctitle]').pack('H*'))" }
}
@Badger Any inputs here from your expertise?
TIA,
Deepak Shukla
Badger
March 11, 2020, 4:59pm
2
.pack operates on an array, not on a string. If you have a field called proctitle then
ruby { code => "event.set('[proctitle]', [event.get('[proctitle]')].pack('H*'))" }
will get you
"/usr/sbin/ntpd\x00-p\x00/var/run/ntp/ntpd.pid\x00-g\x00-u\x00ntp:ntp\x00-c\x00/etc/ntp.conf
which looks like it is encoding spaces with NUL.
1 Like
ankitsynX
(Ankit Kumar)
March 12, 2020, 2:56pm
3
Hi Deepak,
Please use the .split.pack() for string inputs as @Badger explained .pack operates on an array.
ruby { code => "event.set('[auditd][log][proctitle]'),event.get('[auditd][log][proctitle]').split.pack('H*'))"}
Hopefully this should work for you.
Ankit
1 Like
deeshu
(Deepak Shukla)
March 13, 2020, 8:53am
4
Thanks Ankit.... It worked!
1 Like
deeshu
(Deepak Shukla)
March 13, 2020, 8:54am
5
Thanks for your heads up Badger on the string and array part!
system
(system)
Closed
April 10, 2020, 8:54am
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.