Question: How do you use one auditd record which contains a key to extract a field from a second auditd record which does not have that key? They share a msg ID. Both fields need to be combined into one table (see below). Join? Subsearch?
This search fails:
earliest=-d@d | join msg [search key=q_etc] | table msg, exe, name, type
Example:
Record 1:
type=SYSCALL msg=audit(1494348060.908:689): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=1b740c0 a2=0 a3=15e items=2 ppid=1476 pid=1477 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rm" exe="/bin/rm" key="q_etc"
Record 2:
type=PATH msg=audit(1494348060.908:689): item=1 name="passwd" inode=988 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
The table should show:
EXE...............................FILE
/bin/rm...........................passwd
/bin/vi............................shadow
We're assuming you have a bunch of different records that have q_etc as their "key", and you want the answers for all of them.
This code assumes that msg, exe, name and type are all predefined in your system:
index=foo ((type="SYSCALL" AND key="q_etc") OR type="PATH")
| table key msg type exe name
| rename COMMENT as "We have two kinds of records now"
| rename COMMENT as "type key msg exe name"
| rename COMMENT as "SYSCALL tq_etc audit(1494348060.908:689): /bin/rm NULL"
| rename COMMENT as "PATH NULL audit(1494348060.908:689): NULL passwd"
| rename COMMENT as "Roll them together by mesg, all the fields will be on one record."
| rename COMMENT as "and the type field will be multivalue with both PATH and SYSCALL."
| stats values(*) as * by msg
| table key msg type exe name
| rename COMMENT as "After verifying the above, this reformats to your output format"
| rename exe as EXE, name as FILE
| table EXE FILE
The table commands after the first one are not strictly necessary, they are just there so you will be able to understand what the data records look like at those points.
Once you've tested the above verbose code and you see that it works in your installation, and you know how it works, here's the clipped back, "just hand me the answer" version:
index=foo ((type="SYSCALL" AND key="q_etc") OR type="PATH")
| table msg exe name
| stats values(*) as * by msg
| rename exe as EXE, name as FILE
| table EXE FILE
We're assuming you have a bunch of different records that have q_etc as their "key", and you want the answers for all of them.
This code assumes that msg, exe, name and type are all predefined in your system:
index=foo ((type="SYSCALL" AND key="q_etc") OR type="PATH")
| table key msg type exe name
| rename COMMENT as "We have two kinds of records now"
| rename COMMENT as "type key msg exe name"
| rename COMMENT as "SYSCALL tq_etc audit(1494348060.908:689): /bin/rm NULL"
| rename COMMENT as "PATH NULL audit(1494348060.908:689): NULL passwd"
| rename COMMENT as "Roll them together by mesg, all the fields will be on one record."
| rename COMMENT as "and the type field will be multivalue with both PATH and SYSCALL."
| stats values(*) as * by msg
| table key msg type exe name
| rename COMMENT as "After verifying the above, this reformats to your output format"
| rename exe as EXE, name as FILE
| table EXE FILE
The table commands after the first one are not strictly necessary, they are just there so you will be able to understand what the data records look like at those points.
Once you've tested the above verbose code and you see that it works in your installation, and you know how it works, here's the clipped back, "just hand me the answer" version:
index=foo ((type="SYSCALL" AND key="q_etc") OR type="PATH")
| table msg exe name
| stats values(*) as * by msg
| rename exe as EXE, name as FILE
| table EXE FILE
Very elegant fix.
Using the stats command, your search string:
1) accepted all SYSCALL and PATH records,
2) subselected only SYSCALL records having the "q_etc" key,
3) extracted the "msg" field from the SYSCALL record,
4) used this "msg" field to search on all PATH records with the same "msg" field, and
5) create a combined table with both the SYSCALL "exe" and PATH file name fields
This was necessary for splunk/auditd integration, and creates very informative tables:
Thanks so much.
/bin/touch deleteme.txt 1000 ip-192-168-10-14
/bin/chmod deleteme.txt 1000 ip-192-168-10-14
/bin/cp deleteme.txt.2 1000 ip-192-168-10-14
/bin/rm deleteme.txt.2 1000 ip-192-168-10-14
I would use the transaction command...
source="/var/log/audit/audit.log" | transaction maxspan=1s msg | table exe name nametype