Logstash | Pipeline - Hexadecimal to ASCII Converter

deeshu · March 11, 2020, 2:18pm

Hi experts,
I am trying to parse some events from Auditd, the values have been extracted but the commands executed are coming in hexadecimal format.

Can anyone help how to convert it to ASCII in a logstash pipeline.
Below is the sample logs and logic I am using to convert but no joy

type=PROCTITLE msg=audit(1583935996.510:284168): proctitle=2F7573722F7362696E2F6E747064002D70002F7661722F72756E2F6E74702F6E7470642E706964002D67002D75006E74703A6E7470002D63002F6574632F6E74702E636F6E66

if [message] =~ "PROCTITLE" {
ruby { code => "event.set('[auditd][log][proctitle]',event.get('[audit][log][proctitle]').pack('H*'))" }
}

@Badger Any inputs here from your expertise?

TIA,
Deepak Shukla

Badger · March 11, 2020, 4:59pm

.pack operates on an array, not on a string. If you have a field called proctitle then

ruby { code => "event.set('[proctitle]', [event.get('[proctitle]')].pack('H*'))" }

will get you

"/usr/sbin/ntpd\x00-p\x00/var/run/ntp/ntpd.pid\x00-g\x00-u\x00ntp:ntp\x00-c\x00/etc/ntp.conf

which looks like it is encoding spaces with NUL.

ankitsynX · March 12, 2020, 2:56pm

Hi Deepak,

Please use the .split.pack() for string inputs as @Badger explained .pack operates on an array.

ruby { code => "event.set('[auditd][log][proctitle]'),event.get('[auditd][log][proctitle]').split.pack('H*'))"}

Hopefully this should work for you.

Ankit

deeshu · March 13, 2020, 8:53am

Thanks Ankit.... It worked!

deeshu · March 13, 2020, 8:54am

Thanks for your heads up Badger on the string and array part!

system · April 10, 2020, 8:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.