On 07/13/2011 03:04 AM, Alex.B wrote:
Hello Christopher,
Thanks for the quick answer :)
Unfortunately I did see this decoder but it doesn't do what I would
like: extracting the filename and the editor's name (it can't because
of the multiple line log it seems).
I had to make a couple of "artistic" decisions when writing the auditd
decoder. One was whether I should extract the UID as the dstuser or
"Bob." UID seems more correct, because there could be two Bobs, but I
decided to use the friendly name because most of the other decoders do
it that way and I thought people might want to correlate the actions of
a user across applications. Unfortunately, auditd is not consistent with
where they use UIDs and where they use user names.
At any rate, the rules would be the place to do the correlation. You
would want to use same_id and, in the case where the username is in
there and extracted properly, same_user.
Of course, the decoder is beta and may not work for your logs, so try
decoding some stuff and let us know how it goes. I'm open to changing it
if it makes sense and won't break other log formats.
