Hi,
Context: auditbeat on RHEL, auditd module
Ideally, I would like to remove a ton of fields that are of no use to a human being (not related to this topic), and add a field that would show me the IP that issued a given command.
Example:
- user issues "somecommand.sh"
- Audit log will show (desired result): [host-command-issued-on][user-IP][command-with-args]
(this is a pseudo audit record, just to show the desired IP part of the result)
Unfortunately, though I saw there was an option to add custom fields, I cannot find anything on them being based on custom code, and if I just add "source.ip", it doesn't catch anything (I assume because that field does not exist for these entries).
Is there a way of doing this?
If there's a built-in way of doing it that would be ideal, but if the way is something that lets me add a field based on custom code that will also work, as I do have some sh code that can link an IP to a PID... Provided it can be fed said PID.
Thanks,
Ziv.