Logstash | Pipeline - Hexadecimal to ASCII Converter

Elastic Stack Logstash
1

Hi experts,
I am trying to parse some events from Auditd, the values have been extracted but the commands executed are coming in hexadecimal format.

Can anyone help how to convert it to ASCII in a logstash pipeline.
Below is the sample logs and logic I am using to convert but no joy :frowning:

type=PROCTITLE msg=audit(1583935996.510:284168): proctitle=2F7573722F7362696E2F6E747064002D70002F7661722F72756E2F6E74702F6E7470642E706964002D67002D75006E74703A6E7470002D63002F6574632F6E74702E636F6E66

if [message] =~ "PROCTITLE" {
ruby { code => "event.set('[auditd][log][proctitle]',event.get('[audit][log][proctitle]').pack('H*'))" }
}

@Badger Any inputs here from your expertise?

TIA,
Deepak Shukla

2

.pack operates on an array, not on a string. If you have a field called proctitle then

ruby { code => "event.set('[proctitle]', [event.get('[proctitle]')].pack('H*'))" }

will get you

"/usr/sbin/ntpd\x00-p\x00/var/run/ntp/ntpd.pid\x00-g\x00-u\x00ntp:ntp\x00-c\x00/etc/ntp.conf

which looks like it is encoding spaces with NUL.

1 Like
3

Hi Deepak,

Please use the .split.pack() for string inputs as @Badger explained .pack operates on an array.

ruby { code => "event.set('[auditd][log][proctitle]'),event.get('[auditd][log][proctitle]').split.pack('H*'))"}

Hopefully this should work for you.

Ankit

1 Like
4

Thanks Ankit.... It worked!

1 Like
5

Thanks for your heads up Badger on the string and array part!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.