splunk and Auditd

requirements:
- change the auditd log_format from raw to enriched
  - /etc/audit/auditd.conf
- Install the Splunk Add-on for Linux
- change the sourcetype to: linux:audit:enriched or linux:audit
  - (i haven´d checked at the moment which one works better)

combine the auditd log types (EXECVE|SYSCALL|PROCTITLE)

switch auditd log_format to ‘enriched’ to add username to logging
- “/etc/auditd/auditd.conf” -> log_format=ENRICHED
combine all events
select the fields you need to reduce workload
if you don´t get any results, you should try to filter the subsearches or reduce the timespan of the search

index=auditd_data type="EXECVE"
| join msg a0
    [ search index=auditd_data type="SYSCALL"
    | fields msg host AUID UID Host user key]
| join msg
    [ search index=auditd_data type="PROCTITLE"
    | fields msg proctitle]
| Table _time host key AUID UID a0 proctitle

convert the proctile field to ascii

Auditd decodes the output to hex, so you have to convert it back to ascii.

add an % bevor every char pair to create an URL-encoded String
replace . (%00) with an space (%20)
convert the url encoded string to ascii

# combine all eventypes to one Entry
index=* sourcetype=linux:audit:enriched type="PROCTITLE"
``` convert hex to ascii ```
| eval proctitle_ascii = urldecode(replace(replace(proctitle,"([0-9A-F]{2})","%\1"),"%00","%20"))

references

You may also enjoy

Splunk

Mastering Field Extraction in Splunk: Quick Guide

Learn how to configure and test field extractions in Splunk using regex in transforms.conf and props.conf.

Mastering the Tstats Command in Splunk

Learn how to leverage the powerful Tstats command in Splunk 9.2.1 for optimized data analysis and improved search performance.