Splunk Search

What is the best way to use one auditd record to search for a second auditd record

davidschatz
New Member

Question: How do you use one auditd record which contains a key to extract a field from a second auditd record which does not have that key? They share a msg ID. Both fields need to be combined into one table (see below). Join? Subsearch?

This search fails:
earliest=-d@d | join msg [search key=q_etc] | table msg, exe, name, type

Example:

Record 1:
type=SYSCALL msg=audit(1494348060.908:689): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=1b740c0 a2=0 a3=15e items=2 ppid=1476 pid=1477 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rm" exe="/bin/rm" key="q_etc"

Record 2:
type=PATH msg=audit(1494348060.908:689): item=1 name="passwd" inode=988 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE

The table should show:

EXE...............................FILE
/bin/rm...........................passwd
/bin/vi............................shadow

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

We're assuming you have a bunch of different records that have q_etc as their "key", and you want the answers for all of them.

This code assumes that msg, exe, name and type are all predefined in your system:

index=foo ((type="SYSCALL" AND key="q_etc") OR type="PATH")
| table key msg type exe name

| rename COMMENT as "We have two kinds of records now"
| rename COMMENT as "type    key      msg                         exe       name"
| rename COMMENT as "SYSCALL tq_etc   audit(1494348060.908:689):  /bin/rm   NULL"
| rename COMMENT as "PATH    NULL     audit(1494348060.908:689):  NULL      passwd"

| rename COMMENT as "Roll them together by mesg, all the fields will be on one record."
| rename COMMENT as "and the type field will be multivalue with both PATH and SYSCALL."
| stats values(*) as * by msg
| table key msg type exe name

| rename COMMENT as "After verifying the above, this reformats to your output format"
| rename exe as EXE, name as FILE
| table EXE FILE

The table commands after the first one are not strictly necessary, they are just there so you will be able to understand what the data records look like at those points.


Once you've tested the above verbose code and you see that it works in your installation, and you know how it works, here's the clipped back, "just hand me the answer" version:

index=foo ((type="SYSCALL" AND key="q_etc") OR type="PATH")
| table msg exe name
| stats values(*) as * by msg
| rename exe as EXE, name as FILE
| table EXE FILE

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

We're assuming you have a bunch of different records that have q_etc as their "key", and you want the answers for all of them.

This code assumes that msg, exe, name and type are all predefined in your system:

index=foo ((type="SYSCALL" AND key="q_etc") OR type="PATH")
| table key msg type exe name

| rename COMMENT as "We have two kinds of records now"
| rename COMMENT as "type    key      msg                         exe       name"
| rename COMMENT as "SYSCALL tq_etc   audit(1494348060.908:689):  /bin/rm   NULL"
| rename COMMENT as "PATH    NULL     audit(1494348060.908:689):  NULL      passwd"

| rename COMMENT as "Roll them together by mesg, all the fields will be on one record."
| rename COMMENT as "and the type field will be multivalue with both PATH and SYSCALL."
| stats values(*) as * by msg
| table key msg type exe name

| rename COMMENT as "After verifying the above, this reformats to your output format"
| rename exe as EXE, name as FILE
| table EXE FILE

The table commands after the first one are not strictly necessary, they are just there so you will be able to understand what the data records look like at those points.


Once you've tested the above verbose code and you see that it works in your installation, and you know how it works, here's the clipped back, "just hand me the answer" version:

index=foo ((type="SYSCALL" AND key="q_etc") OR type="PATH")
| table msg exe name
| stats values(*) as * by msg
| rename exe as EXE, name as FILE
| table EXE FILE

View solution in original post

0 Karma

davidschatz
New Member

Very elegant fix.

Using the stats command, your search string:
1) accepted all SYSCALL and PATH records,
2) subselected only SYSCALL records having the "q_etc" key,
3) extracted the "msg" field from the SYSCALL record,
4) used this "msg" field to search on all PATH records with the same "msg" field, and
5) create a combined table with both the SYSCALL "exe" and PATH file name fields

This was necessary for splunk/auditd integration, and creates very informative tables:

Thanks so much.

/bin/touch deleteme.txt 1000 ip-192-168-10-14
/bin/chmod deleteme.txt 1000 ip-192-168-10-14
/bin/cp deleteme.txt.2 1000 ip-192-168-10-14
/bin/rm deleteme.txt.2 1000 ip-192-168-10-14

0 Karma

wenthold
Communicator

I would use the transaction command...

source="/var/log/audit/audit.log" | transaction maxspan=1s msg | table exe name nametype
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!