How to parse audit_cmd in auditd logs?

Question

I have some lines of auditd.log that contains the key audit_cmd followed by a long string of HEX.

type=USER_CMD msg=audit(<TIMESTAMP>): pid=<PID> uid=<UID> auid=<AUID> ses=72940 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
msg='cwd="/home/<account>" cmd=2F62696E2F7368202D63206563686F204<HEX> terminal=pts/2 res=success'

How can I parse it?

Note: I might not be always on the machine that originally generated the logs (in some cases I look at logs already forwarded to an Elasticsearch server).

No. I'm not sure what's on it (since I don't know how to parse it) and it might be a security risk to post it online — Tom Klino, Sep 06 '17 at 11:28
found it: echo "<long hex string in audit_cmd section>" | xxd -r -p found in https://serverfault.com/a/673720/145823 — Tom Klino, Sep 06 '17 at 11:51
@TomKlino you should have considered the other easier answer in your link: ausearch -i to have the hex interpreted for you. — meuh, Sep 06 '17 at 12:50
Yes. See the note I've written in the question as to why this is not an ideal solution for me — Tom Klino, Sep 06 '17 at 13:19

score 1 · Answer 1 · answered Sep 20 '19 at 10:12

I were running into the same question as I was collection auditd.log via SplunkUniversalForwarder and for investigation in Splunk.

As @Tom Klino already mentioned and discussed under auditd execve arguments looks like encoded data, the command string seems to be HEX encoded ASCII.

Therefore it would be possible to decode it via

echo "<HEX encoded ASCII string>" | xxd -r -p

on the remote log collector (i.e. Splunk) later (and if xxd became installed with vim ).

A better approach for me seems to be to preprocess the log with ausearch -if audit.log -i and collect it with the Splunk app rlog.sh.

How to parse audit_cmd in auditd logs?

1 Answers1