# fluent-plugin-filter-parse-audit-log
Fluentd Filter Plugin to parse [linux's audit log](https://github.com/linux-audit/audit-documentation/wiki).
[![Gem Version](https://badge.fury.io/rb/fluent-plugin-filter-parse-audit-log.svg)](http://badge.fury.io/rb/fluent-plugin-filter-parse-audit-log)
[![Build Status](https://travis-ci.org/winebarrel/fluent-plugin-filter-parse-audit-log.svg?branch=master)](https://travis-ci.org/winebarrel/fluent-plugin-filter-parse-audit-log)
## Installation
Add this line to your application's Gemfile:
```ruby
gem 'fluent-plugin-filter-audit-log'
```
And then execute:
$ bundle
Or install it yourself as:
$ gem install fluent-plugin-filter-audit-log
## Configuration
```
@type parse_audit_log
#key message
#flatten false
```
## Output
```
@type parse_audit_log
@type stdout
```
```sh
echo '{"message":"type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm=\"cat\" exe=\"/bin/cat\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=\"sshd_config\""}' \
| fluent-cat -t audit.log
```
```json
{
"header": {
"type": "SYSCALL",
"msg": "audit(1364481363.243:24287)"
},
"body": {
"arch": "c000003e",
"syscall": "2",
"success": "no",
"exit": "-13",
"a0": "7fffd19c5592",
"a1": "0",
"a2": "7fffd19c4b50",
"a3": "a",
"items": "1",
"ppid": "2686",
"pid": "3538",
"auid": "500",
"uid": "500",
"gid": "500",
"euid": "500",
"suid": "500",
"fsuid": "500",
"egid": "500",
"sgid": "500",
"fsgid": "500",
"tty": "pts0",
"ses": "1",
"comm": "\"cat\"",
"exe": "\"/bin/cat\"",
"subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
"key": "\"sshd_config\""
}
}
```
## Related Links
* https://github.com/winebarrel/audit_log_parser
* [7.6. Understanding Audit Log Files - Red Hat Customer Portal](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-understanding_audit_log_files)
* [SPEC Writing Good Events ยท linux-audit/audit-documentation Wiki](https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events)