topic Re: Can I concatenate the arguments contained in Linux auditd "EXECVE" events? in Splunk Search

Can I concatenate the arguments contained in Linux auditd "EXECVE" events?

johnvr — Thu, 11 Oct 2018 23:03:09 GMT

For example, a standard EXECVE event in my environment will appear as:

type=EXECVE msg=audit($something$) : arg=3 a0=systemctl a1=status a2=auditd.service

I'm attempting to concatenate those so that, in every event, I'll end up with a field, call it "total_argument" where the value in the above circumstance will be "systemctl status auditd.service"

The catch is, the argument number will obviously vary from event to event, and vary wildly - this means a simple eval to add a0, a1, and a2 would work only for the messages that only have 3 arguments.

I'm looking for a way to accomplish this that would concatenate those values regardless of how many arguments the event would have.

Is there a way to accomplish this in Splunk?

Re: Can I concatenate the arguments contained in Linux auditd "EXECVE" events?

renjith_nair — Fri, 12 Oct 2018 01:53:02 GMT

@johnvr , does this argument has a common pattern in the names to distinguish from other fields?

Re: Can I concatenate the arguments contained in Linux auditd "EXECVE" events?

johnvr — Fri, 12 Oct 2018 22:42:11 GMT

If I understand what you're asking, the answer is yes. It's always a+digit. a0, a1, a2, etc.

In some cases, I've seen this get into the 100s.

Re: Can I concatenate the arguments contained in Linux auditd "EXECVE" events?

renjith_nair — Fri, 12 Oct 2018 23:54:40 GMT

@johnvr ,

Try

|eval total_argument=""|foreach a* [eval total_argument=if(match("<<FIELD>>","a[0-9].*"),total_argument." ".<<FIELD>>,total_argument) ]

Sample search used,

|makeresults |eval type="EXECVE", msg="audit", arg=3, a0="systemctl", a1="status", a2="auditd.service"|eval total_argument=""
|foreach a* [eval total_argument=if(match("<<FIELD>>","a[0-9].*"),total_argument." ".<<FIELD>>,total_argument) ]

Re: Can I concatenate the arguments contained in Linux auditd "EXECVE" events?

johnvr — Mon, 15 Oct 2018 17:56:02 GMT

That works! Well, in some cases. In others, not. Investigating. Would this work in props.conf as an eval, or would it have to be an extraction, or...?

index=auditd type=EXECVE, the argc (the count) field is represented in about 96% of events, but that's only working in about 30%.

Re: Can I concatenate the arguments contained in Linux auditd "EXECVE" events?

renjith_nair — Tue, 16 Oct 2018 13:24:01 GMT

@johnvr , i missed the initialization part eval total_argument="" in the search though its mentioned in the sample search. Updated the answer now. Would be interested to know which case its not working. I doubt the foreacch in props. Instead you can try below also

|rex field=_raw "arg=\d+\s+(?<total_argument>.+)$"|rex field=total_argument mode=sed "s/a\d+=//g"

Re: Can I concatenate the arguments contained in Linux auditd "EXECVE" events?

johnvr — Thu, 18 Oct 2018 19:06:06 GMT

Getting much better results with the RegEx.

About 70% get parsed.

A couple examples that don't... (the second example makes sense b/c spaces are included in the argument)... I'll mess with this, but let me know if you've got any updates. One thing I've noticed... these EXECVE events end with the final argument. So "$" may be relevant somewhere.

argc=2 a0=df a1=-iP

argc=3 a0=sh a1=-c a2=rpm -qp --queryformat '%{NAME} %{VERSION}-%{RELEASE}\012' /tmp/prod-lti-number.x86_64.rpm

Re: Can I concatenate the arguments contained in Linux auditd "EXECVE" events?

johnvr — Tue, 29 Sep 2020 21:39:06 GMT

I'll add that these fields are just being parsed via KV_Mode, which might be part of the problem. It's breaking arguments that have spaces. Therefore, I may need to turn KV_Mode to none, and try regular regex extractions.

Re: Can I concatenate the arguments contained in Linux auditd "EXECVE" events?

johnvr — Thu, 18 Oct 2018 19:20:51 GMT

Then again... if I push everything to regular regex extractions, I'm going to have to account for any # of arguments... hm...

Re: Can I concatenate the arguments contained in Linux auditd "EXECVE" events?

renjith_nair — Fri, 19 Oct 2018 13:57:25 GMT

@johnvr,
I just tried with your above examples and it works for me

    | makeresults |eval data="argc=2 a0=df a1=-iP,argc=3 a0=sh a1=-c a2=rpm -qp --queryformat '%{NAME} %{VERSION}-%{RELEASE}\012' /tmp/prod-lti-number.x86_64.rpm"
    |makemv data delim=","|mvexpand data
    |rex field=data "argc=\d+\s+(?<total_argument>.+)$"|rex field=total_argument mode=sed "s/a\d+=//g"