I want to achieve two goals: 1. Extract name=value pairs from audit records ‒ this can be solved by using key=value extractor 2. Aggregate complete audit event (three audit records) into a single message ‒ I don't know how to solve this problem
On Monday, August 22, 2016 at 3:25:24 PM UTC+3, Phil Sumner wrote: > > You could use the key=value copy extractor ( > http://docs.graylog.org/en/2.0/pages/extractors.html#automatically-extract-all-key-value-pairs > > <http://www.google.com/url?q=http%3A%2F%2Fdocs.graylog.org%2Fen%2F2.0%2Fpages%2Fextractors.html%23automatically-extract-all-key-value-pairs&sa=D&sntz=1&usg=AFQjCNE26M2a4kIe49MAcHZS9pE0Asg-XA> > ) > > That gets all the data into fields. Then after that, it depends what you > want to achieve. > > On Monday, 22 August 2016 13:10:42 UTC+1, Aleksey Chudov wrote: >> >> Hi, >> >> I've searched Google and Graylog Marketplace for a plugin to parse Linux >> audit log messages with no success. >> >> Some details about audit logs >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Understanding_Audit_Log_Files.html >> >> Actually, audit event consists of three records, which share the same >> time stamp and serial number. Each record consists of several name=value >> pairs separated by a white space or a comma. >> >> What is the best way to parse audit log messages? I'm thinking of writing >> custom Graylog plugin. >> >> Regards, >> Aleksey >> > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/a77296ce-b58f-4327-b2db-b28976dc5772%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
