Hi, I've searched Google and Graylog Marketplace for a plugin to parse Linux audit log messages with no success.
Some details about audit logs https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html Actually, audit event consists of three records, which share the same time stamp and serial number. Each record consists of several name=value pairs separated by a white space or a comma. What is the best way to parse audit log messages? I'm thinking of writing custom Graylog plugin. Regards, Aleksey -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/f3f2c42c-0fd1-4210-bdb3-0c08d4750f26%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
