I want to make a ruby script that makes an extra field for "command" that it parses out of the message that auditd creates, however it does not work and I am unable to figure out why.
example log:
type=EXECVE msg=audit(1676645236.583:93680): argc=2 a0="hostname" a1="-f"
part of the logstash config in question:
mutate {
add_field => { "command" => "" }
}
if "type=EXECVE" in [message] {
ruby {
code => '
def filter(event)
if event.get("message").include?("type=execve")
args = ""
99.times do |i|
break unless event.include?("a" + (i+0).to_s)
args += event.get(("a" + (i+0).to_s) + " ")
end
event.set("command", args.strip)
event.remove("a%{[0-9]+}")
end
return [event]
end'
}
}
Ruby script:
def filter(event)
if event.get("message").include?("type=execve")
args = ''
99.times do |i|
break unless event.include?('a' + (i+0).to_s)
args += event.get(('a' + (i+0).to_s) + ' ')
end
event.set('command', args.strip)
event.remove("a%{[0-9]+}")
end
return [event]
end
current output: