Report on Linux Audit Trail
Currently we are colleting linux events by using syslog in the default configuration. An administrator recently added an audit daemon which sends out the audited events. However this is covered in the XML with the audispd event or messageid 01009:01, the whole events is made up of 5 seperate events which makes it a multi line logging.
Is there a way to circumvent this in with a report, by using a nested where clause or by using the event explorer?
So I don't want to concantenate them but merely group them based on a variable that is in only one the sub-events. For example:
type=PATH msg=audit(07/23/08 17:41:37.578:1466) : item=1 name=new.txt inode=205172 dev=08:06 mode=file,644 ouid=faisal ogid=users rdev=00:00
type=PATH msg=audit(07/23/08 17:41:37.578:1466) : item=0 name=/tmp inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(07/23/08 17:41:37.578:1466) : cwd=/tmp
type=SYSCALL msg=audit(07/23/08 17:41:37.578:1466) : arch=x86_64 syscall=open success=yes exit=0 a0=7fff00e4e52c a1=941 a2=1b6 a3=0 items=2 ppid=23629 pid=23662 auid=unknown(4294967295) uid=faisal gid=users euid=faisal suid=faisal fsuid=faisal egid=users sgid=users fsgid=users tty=tty2 comm=touch exe=/bin/touch key="CFG_tmp"
How do I display this based on the fact that all events are in the same table but only the SYSCALL events has a user identifiere ( using a valuemap in the xml will help in getting a name there) on which I would like to search. I can used the sesssion identifier but then the report would be a two-step process which I do not want.
Many thanks in advance.
Hi, You don't which version of linux you're running, but we ran into a similar issue with some legacy RHv3 servers...the audit events span multiple lines and are therefore unsupported by enVision. We resolved this using a script on the server that concatenates the audit events prior to sending them to enVision. It's been working great for 18 months or so now.