RSA Admin

Report on Linux Audit Trail

Discussion created by RSA Admin Employee on Mar 23, 2010
Latest reply on Apr 1, 2010 by RSA Admin

Hi all,


Currently we are colleting linux events by using syslog in the default configuration. An administrator recently added an audit daemon which sends out the audited events. However this is covered in the XML with the audispd event or messageid 01009:01, the whole events is made up of 5 seperate events which makes it a multi line logging.


Is there a way to circumvent this in with a report, by using a nested where clause or by using the event explorer?


So I don't want to concantenate them but merely group them based on a variable that is in only one the sub-events. For example:



type=PATH msg=audit(07/23/08 17:41:37.578:1466) : item=1 name=new.txt inode=205172 dev=08:06 mode=file,644 ouid=faisal ogid=users rdev=00:00

type=PATH msg=audit(07/23/08 17:41:37.578:1466) : item=0 name=/tmp inode=3563 dev=08:06 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00

type=CWD msg=audit(07/23/08 17:41:37.578:1466) : cwd=/tmp

type=SYSCALL msg=audit(07/23/08 17:41:37.578:1466) : arch=x86_64 syscall=open success=yes exit=0 a0=7fff00e4e52c a1=941 a2=1b6 a3=0 items=2 ppid=23629 pid=23662 auid=unknown(4294967295) uid=faisal gid=users euid=faisal suid=faisal fsuid=faisal egid=users sgid=users fsgid=users tty=tty2 comm=touch exe=/bin/touch key="CFG_tmp"


How do I display this based on the fact that all events are in the same table but only the SYSCALL events has a user identifiere ( using a valuemap in the xml will help in getting a name there) on which I would like to search. I can used the sesssion identifier but then the report would be a two-step process which I do not want.


Many thanks in advance.