audit.log 연동.
processors: - include_fields: fields: "message" - copy_fields: fields: - from: message to: message2 - replace: fields: - field: "message2" pattern: "\"" replacement: "" - script: lang: javascript source: > var list = evt.Get("message2").split(" "); for (var i in list) { var key = list[i].split("=")[0]; var val = list[i].split("=")[1]; evt.Put(key, val) } } - drop_fields: fields: "message2" - dissect: field: "msg" tokenizer: "%{}(%{timestamp}:%{}" target_prefix: ""{ "@timestamp": "2025-05-02T08:39:45.009Z", "@metadata": { "beat": "filebeat", "type": "_doc", "version": "9.0.0" }, "timestamp": "1745768855.270", "type": "NETFILTER_CFG", "msg": "audit(1745768855.270:63):", "table": "filter", "family": "10", "entries": "0", "message": "type=NETFILTER_CFG msg=audit(1745768855.270:63): table=filter family=10 entries=0"}{ "@timestamp": "2025-05-02T08:39:45.009Z", "@metadata": { "beat": "filebeat", "type": "_doc", "version": "9.0.0" }, "arch": "c000003e", "pid": "1336", "exe": "/usr/bin/kmod", "key": "(null)", "success": "yes", "a0": "1e2da20", "a1": "1d75", "exit": "0", "ppid": "1335", "ses": "4294967295", "subj": "system_u:system_r:insmod_t:s0", "auid": "4294967295", "gid": "0", "fsuid": "0", "egid": "0", "sgid": "0", "message": "type=SYSCALL msg=audit(1745768855.720:63): arch=c000003e syscall=175 success=yes exit=0 a0=1e2da20 a1=1d75 a2=41a2d8 a3=1e2a500 items=0 ppid=1335 pid=1336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", "syscall": "175", "a3": "1e2a500", "uid": "0", "timestamp": "1745768855.720", "type": "SYSCALL", "a2": "41a2d8", "items": "0", "euid": "0", "suid": "0", "msg": "audit(1745768855.720:63):", "fsgid": "0", "tty": "(none)", "comm": "modprobe"}unix time을 date 포맷으로 바꿔야 한다. 예전 같으면 한참 헤맸겠지?
processors: - include_fields: fields: "message" - copy_fields: fields: - from: message to: message2 - replace: fields: - field: "message2" pattern: "\"" replacement: "" - script: lang: javascript source: > function process(evt) { var list = evt.Get("message2").split(" "); for (var i in list) { var key = list[i].split("=")[0]; var val = list[i].split("=")[1]; evt.Put(key, val) } } - drop_fields: fields: "message2" - dissect: field: "msg" tokenizer: "%{}(%{timestamp}:%{}" target_prefix: "" - script: lang: javascript source: > function process(evt) { var timestamp = new Date(evt.Get("timestamp") * 1000) evt.Put("@timestamp", timestamp) }{ "@timestamp": "2025-04-27T15:47:35.270Z", "@metadata": { "beat": "filebeat", "type": "_doc", "version": "9.0.0" }, "message": "type=NETFILTER_CFG msg=audit(1745768855.270:63): table=filter family=10 entries=0", "timestamp": "1745768855.270", "type": "NETFILTER_CFG", "msg": "audit(1745768855.270:63):", "table": "filter", "family": "10", "entries": "0"}{ "@timestamp": "2025-04-27T15:47:35.720Z", "@metadata": { "beat": "filebeat", "type": "_doc", "version": "9.0.0" }, "arch": "c000003e", "items": "0", "pid": "1336", "sgid": "0", "message": "type=SYSCALL msg=audit(1745768855.720:63): arch=c000003e syscall=175 success=yes exit=0 a0=1e2da20 a1=1d75 a2=41a2d8 a3=1e2a500 items=0 ppid=1335 pid=1336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)", "auid": "4294967295", "uid": "0", "exit": "0", "a0": "1e2da20", "fsgid": "0", "key": "(null)", "timestamp": "1745768855.720", "a1": "1d75", "a3": "1e2a500", "euid": "0", "fsuid": "0", "type": "SYSCALL", "ppid": "1335", "ses": "4294967295", "comm": "modprobe", "msg": "audit(1745768855.720:63):", "success": "yes", "egid": "0", "exe": "/usr/bin/kmod", "subj": "system_u:system_r:insmod_t:s0", "syscall": "175", "a2": "41a2d8", "gid": "0", "suid": "0", "tty": "(none)"}
댓글 없음:
댓글 쓰기