Splunk Search

What is the best way to use one auditd record to search for a second auditd record

davidschatz
New Member

Question: How do you use one auditd record which contains a key to extract a field from a second auditd record which does not have that key? They share a msg ID. Both fields need to be combined into one table (see below). Join? Subsearch?

This search fails:
earliest=-d@d | join msg [search key=q_etc] | table msg, exe, name, type

Example:

Record 1:
type=SYSCALL msg=audit(1494348060.908:689): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=1b740c0 a2=0 a3=15e items=2 ppid=1476 pid=1477 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rm" exe="/bin/rm" key="q_etc"

Record 2:
type=PATH msg=audit(1494348060.908:689): item=1 name="passwd" inode=988 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE

The table should show:

EXE...............................FILE
/bin/rm...........................passwd
/bin/vi............................shadow

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

We're assuming you have a bunch of different records that have q_etc as their "key", and you want the answers for all of them.

This code assumes that msg, exe, name and type are all predefined in your system:

index=foo ((type="SYSCALL" AND key="q_etc") OR type="PATH")
| table key msg type exe name

| rename COMMENT as "We have two kinds of records now"
| rename COMMENT as "type    key      msg                         exe       name"
| rename COMMENT as "SYSCALL tq_etc   audit(1494348060.908:689):  /bin/rm   NULL"
| rename COMMENT as "PATH    NULL     audit(1494348060.908:689):  NULL      passwd"

| rename COMMENT as "Roll them together by mesg, all the fields will be on one record."
| rename COMMENT as "and the type field will be multivalue with both PATH and SYSCALL."
| stats values(*) as * by msg
| table key msg type exe name

| rename COMMENT as "After verifying the above, this reformats to your output format"
| rename exe as EXE, name as FILE
| table EXE FILE

The table commands after the first one are not strictly necessary, they are just there so you will be able to understand what the data records look like at those points.


Once you've tested the above verbose code and you see that it works in your installation, and you know how it works, here's the clipped back, "just hand me the answer" version:

index=foo ((type="SYSCALL" AND key="q_etc") OR type="PATH")
| table msg exe name
| stats values(*) as * by msg
| rename exe as EXE, name as FILE
| table EXE FILE

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

We're assuming you have a bunch of different records that have q_etc as their "key", and you want the answers for all of them.

This code assumes that msg, exe, name and type are all predefined in your system:

index=foo ((type="SYSCALL" AND key="q_etc") OR type="PATH")
| table key msg type exe name

| rename COMMENT as "We have two kinds of records now"
| rename COMMENT as "type    key      msg                         exe       name"
| rename COMMENT as "SYSCALL tq_etc   audit(1494348060.908:689):  /bin/rm   NULL"
| rename COMMENT as "PATH    NULL     audit(1494348060.908:689):  NULL      passwd"

| rename COMMENT as "Roll them together by mesg, all the fields will be on one record."
| rename COMMENT as "and the type field will be multivalue with both PATH and SYSCALL."
| stats values(*) as * by msg
| table key msg type exe name

| rename COMMENT as "After verifying the above, this reformats to your output format"
| rename exe as EXE, name as FILE
| table EXE FILE

The table commands after the first one are not strictly necessary, they are just there so you will be able to understand what the data records look like at those points.


Once you've tested the above verbose code and you see that it works in your installation, and you know how it works, here's the clipped back, "just hand me the answer" version:

index=foo ((type="SYSCALL" AND key="q_etc") OR type="PATH")
| table msg exe name
| stats values(*) as * by msg
| rename exe as EXE, name as FILE
| table EXE FILE
0 Karma

davidschatz
New Member

Very elegant fix.

Using the stats command, your search string:
1) accepted all SYSCALL and PATH records,
2) subselected only SYSCALL records having the "q_etc" key,
3) extracted the "msg" field from the SYSCALL record,
4) used this "msg" field to search on all PATH records with the same "msg" field, and
5) create a combined table with both the SYSCALL "exe" and PATH file name fields

This was necessary for splunk/auditd integration, and creates very informative tables:

Thanks so much.

/bin/touch deleteme.txt 1000 ip-192-168-10-14
/bin/chmod deleteme.txt 1000 ip-192-168-10-14
/bin/cp deleteme.txt.2 1000 ip-192-168-10-14
/bin/rm deleteme.txt.2 1000 ip-192-168-10-14

0 Karma

wenthold
Communicator

I would use the transaction command...

source="/var/log/audit/audit.log" | transaction maxspan=1s msg | table exe name nametype
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...