Splunk Search

Group full auditd (rlog) EXECVE commands by User?



I have been trying to write some custom searches against linux auditd logs to get a list of all commands executed by users in a given time period. I am using the rlog.sh and common.sh scripts included in the Unix addon for field extraction / to make the logs human readable.

Each "event" consists of multiple lines in the log file, so I am using the "transaction" command to group them by message. For example this gives me a list of the commands executed per user/host:

source="auditd"| transaction msg | stats values(type) AS EventType, values(exe) AS Commands BY auid, host

This works, but I want to take it a step further to get the full command and arguments the user executed. The user id (auid) and arguments (a0, a1, a2) are in separate lines. Additionally, these arguments are also defined for SYSCALL messages, not just "EXECVE" so when I group the lines into a transaction I get a bunch of lines for valid commands, and a bunch of random looking characters generated from SYSCALL messages.

I know I could search on "type=EXECVE", but since no user information (auid) is included on this line, I can't get the full command that was executed unless the SYSCALL message is also available. Any ideas how I can manage this?

For reference here is a sample transaction (4 lines grouped together):

type=SYSCALL msg=audit(07/25/2012 11:17:53.068:117102) : arch=x86_64 syscall=execve success=yes exit=0 a0=608feb0 a1=60a2510 a2=60c9cc0 a3=8 items=2 ppid=28698 pid=30395 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=1463 comm=vim exe=/usr/bin/vim key=ROOT_ACTION 

type=EXECVE msg=audit(07/25/2012 11:17:53.068:117102) : argc=2 a0=vim a1=/etc/hosts 

type=PATH msg=audit(07/25/2012 11:17:53.068:117102) : item=0 name=/usr/bin/vim inode=23699036 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 

type=PATH msg=audit(07/25/2012 11:17:53.068:117102) : item=1 name=(null) inode=18645014 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 

Any help is greatly appreciated!


EDIT: I was thinking maybe I could split up the "transaction" back into regular events? I tried to use a regular expression (which works in perl) but not in splunk:

source="auditd" | transaction msg | rex "^(?<raw>type=.*\n.*)$" | mvexpand raw

For some reason the above only finds transactions with a single line (i.e. type=CONFIG_CHANGE, type=LOGIN). Any ideas why it won't match each line in a transaction? Am I doing this the wrong way?

Tags (1)


This is an old question, but for folks with a similar requirement, check out the Linux Audit app, which provides this correlation out of the box: https://splunkbase.splunk.com/app/2642/

0 Karma


I have a similar problem.
You can recognise the event (so you can associate the SYSCALL with the relative EXECVE) with the number after the timestamp:. As per your example the number: 117102

Let me know if it works and if you did the correlation!!


0 Karma