1
2name: crowdsecurity/auditd-logs
3description: "Parse auditd logs"
4filter: "evt.Parsed.program == 'auditd'"
5onsuccess: next_stage
6pattern_syntax:
7 FLOAT: '[0-9\.]+'
8
9nodes:
10
11 - filter: ParseKV(evt.Parsed.message, evt.Unmarshaled, "auditd") == nil
12 nodes:
13 - grok:
14 pattern: '%{WORD:msg_type}\(%{FLOAT:timestamp}:%{INT:event_inc_id}\):'
15 expression: evt.Unmarshaled.auditd.msg
16 nodes:
17 - filter: evt.Unmarshaled.auditd.type == "SYSCALL" and evt.Unmarshaled.auditd.arch == "c000003e" and evt.Unmarshaled.auditd.syscall == "59"
18 statics:
19 - meta: log_type
20 value: execve
21
22 - target: evt.Meta.parent_progname
23 expression: GetFromStash("auditd_pid_progname", evt.Unmarshaled.auditd.ppid)
24
25 stash:
26 - name: auditd_pid_progname
27 key: evt.Unmarshaled.auditd.pid
28 value: evt.Unmarshaled.auditd.exe
29 ttl: 1m
30 size: 100
31 - filter: evt.Unmarshaled.auditd.type == "ANOM_ABEND"
32 statics:
33 - meta: log_type
34 value: anom_abend
35 statics:
36 - target: evt.StrTime
37 expression: evt.Parsed.timestamp
38 - meta: ppid
39 expression: evt.Unmarshaled.auditd.ppid
40 - meta: exe
41 expression: evt.Unmarshaled.auditd.exe
42 - meta: uid
43 expression: evt.Unmarshaled.auditd.uid
44 - meta: auid
45 expression: evt.Unmarshaled.auditd.auid
46 - meta: euid
47 expression: evt.Unmarshaled.auditd.euid
48 - meta: gid
49 expression: evt.Unmarshaled.auditd.gid
50 - meta: ses
51 expression: evt.Unmarshaled.auditd.ses
52 - meta: subj
53 expression: evt.Unmarshaled.auditd.subj
54 - meta: pid
55 expression: evt.Unmarshaled.auditd.pid
56 - meta: comm
57 expression: evt.Unmarshaled.auditd.comm
58 - meta: sig
59 expression: evt.Unmarshaled.auditd.sig
60 - meta: tty
61 expression: evt.Unmarshaled.auditd.tty
62 - meta: res
63 expression: evt.Unmarshaled.auditd.res
64 - meta: str_UID
65 expression: evt.Unmarshaled.auditd.UID
66 - meta: str_GID
67 expression: evt.Unmarshaled.auditd.GID
68 - meta: auditd_eventid
69 expression: evt.Parsed.event_inc_id
70
