Auditd

Auditd-related search macros, datamodel queries, transformations and configurations

Auditd is a tool for maintaining logs for events that take place on Linux systems to help system administrators and security analysts monitor security breaches and incidents.

Rules

Configure Linux system auditing with auditdRed Hat

You can use auditd.rules to get a better idea of how rules are written for auditd.

Configuration

Auditd, by default, stores logs in /var/log/audit directory. This path can be changed in the auditd.conf file.

Read more about it at - https://man7.org/linux/man-pages/man5/auditd.conf.5.html

The logs are stored in ASCII format as key-value pairs. Some of the values, such as proctitle, are encoded in hexadecimal format. You can use ausearch -i to decode it while viewing logs on the command line. The logs will have to be decoded using evals when importing them into Splunk -

Extracting time in a human-readable format along with the message ID

| rex field = msg "(?<unixtime>\\d{10}\.\\d{3})"
| rex field = msg ":(?<msg_id>\\d{6})"
| eval readable_time = strftime(unixtime, "%Y-%m-%d %H:%M:%S.%Q")

Decoding "proctitle" field

| eval process_title = urldecode(replace(proctitle,"([0-9A-F]{2})","%\1"))

Since each event is stored over multiple lines, when imported into Splunk, it will be split up into multiple "events" that will have to be grouped using the msg field. This can be done using the transaction command or by using a subsearch.

Using a subsearch to find complete events based on a key

index = auditd
| search [
    index = auditd
    | search key = <key_name>
    | fields msg
    | format ]