Hello folks,
Some others have already written simple auditd decoders, but I decided
to take a stab at something comprehensive enough for inclusion into
release. It has been tested with a few supported types on logs from
CentOS 5.5 and Ubuntu 10.04 LTS. Auditd supports over 90 event types, so
obviously this only supports a small subset, but I think it should be a
good start for most situations.
Please try it out and let me know if your logs decode properly. Do the
extracted fields make sense? Any suggestions?
Here is the current rev (available for one month from the date of this
post): http://pastebin.com/8R6S5L1N
Thanks,
Mike
- [ossec-list] Beta (Comprehensive) Auditd Decoder Michael Starks
-
