Auditd logs are the single richest and most precise source of auditing information available in GNU/Linux, however they are too often underutilised due to their complexity. This app and its TA make that information readily accessible at enterprise-scale in three mobile-friendly interactive dashboards together with various field extractions, lookups and CIM mappings for Enterprise Security. For example, the event below is mostly comprised of easily parsed key-value pairs, however this app uses the "arch" and "syscall" number to resolve the system call made and determine the posix user from the auid ("actual uid" of the user who executed the process) for searching and correlation in Enterprise Security.

type=SYSCALL msg=audit(1321390138.034:228150): arch=c000003e syscall=62 success=yes exit=0 a0=14a3 a1=0 a2=7fcfa39 a3=12a0 items=0 ppid=19051 pid=19128 auid=3045 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7643 comm="splunkd" exe="/opt/splunk/bin/splunkd" subj=system_u:system_r:splunk_t:s0 key=(null)

Share this project:

Updates