https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74641#M18822 <P>Running into the same issue, can help mention how to tried to extract field "data" into string format.<BR /> Thanks.</P> Thu, 24 Jan 2019 07:18:08 GMT dharshini 2019-01-24T07:18:08Z https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74637#M18818 <P>I'm sending my splunk server /var/log/audit.log data from each client machine (splunkforwarder). I have logging of TTY data for root enabled, and would like to be able to read that in splunk. Does anyone know a way to convert the raw data into something readable?</P> Fri, 28 Sep 2012 14:24:13 GMT https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74637#M18818 cgkades 2012-09-28T14:24:13Z https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74638#M18819 <P>Can you provide an example of what you see and what you want to see? Are you looking for something like <A href="http://splunk-base.splunk.com/answers/60048/how-to-include-completely-missing-fields-in-results">this</A> where you would convert the data within a field? Or are you not getting fields, and wnat to extract them into a fields?</P> Fri, 28 Sep 2012 16:33:46 GMT https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74638#M18819 jsb22 2012-09-28T16:33:46Z https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74639#M18820 <P>I would like to translate the data=[hex string].<BR /> the entry in splunk:</P> <P>type=TTY msg=audit(1234123.123:6644): tty pid=12345 uid=0 auid=1234 major=137 minor=20 comm="bash" data=121212F0D00DDD0121212423400D host=myhostname | sourcetype=linux_audit | source=/var/log/audit/audit.log</P> <P>all numbers except uid=0 were replaced with random numbers, as well as the host name.</P> Fri, 28 Sep 2012 18:10:29 GMT https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74639#M18820 cgkades 2012-09-28T18:10:29Z https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74640#M18821 <P>It looks like it's a hex string that is just ascii data. I was able to convert the data manually in python. Can anyone point me in the direction of the docs that cover how to run a script against a certain field? I only want it to translate the field "data=" from hex to ascii when the type=TTY</P> Fri, 28 Sep 2012 18:35:03 GMT https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74640#M18821 cgkades 2012-09-28T18:35:03Z https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74641#M18822 <P>Running into the same issue, can help mention how to tried to extract field "data" into string format.<BR /> Thanks.</P> Thu, 24 Jan 2019 07:18:08 GMT https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74641#M18822 dharshini 2019-01-24T07:18:08Z https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74642#M18823 <P>try this:</P> <P>Example raw log:<BR /> type=USER_TTY msg=audit(1573643958.798:1973): pid=2964 uid=0 auid=1000 ses=22 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 data=636174202F7661722F6C6F672F61756469742F61756469742E6C6F67207C206772657020555345525F545459UID="root" AUID="rdevega"</P> <P>splunk code:</P> <PRE><CODE>your search here | eval keystrokes = urldecode(replace(data,"([0-9A-F]{2})","%\1")) | table data keystrokes </CODE></PRE> <P>results:</P> <P><IMG src="https://community.splunk.com/storage/temp/275134-anotacion-2019-11-13-122243.png" alt="alt text" /></P> Wed, 30 Sep 2020 02:57:18 GMT https://community.splunk.com/t5/Splunk-Search/Convert-audit-log-TTY-data/m-p/74642#M18823 rafadvega 2020-09-30T02:57:18Z