2

I have some lines of auditd.log that contains the key audit_cmd followed by a long string of HEX.

type=USER_CMD msg=audit(<TIMESTAMP>): pid=<PID> uid=<UID> auid=<AUID> ses=72940 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
msg='cwd="/home/<account>" cmd=2F62696E2F7368202D63206563686F204<HEX> terminal=pts/2 res=success' 

How can I parse it?

Note: I might not be always on the machine that originally generated the logs (in some cases I look at logs already forwarded to an Elasticsearch server).

Stephen Kitt
  • 434,908
Tom Klino
  • 842

1 Answers1

1

I were running into the same question as I was collection auditd.log via SplunkUniversalForwarder and for investigation in Splunk.

As @Tom Klino already mentioned and discussed under auditd execve arguments looks like encoded data, the command string seems to be HEX encoded ASCII.

Therefore it would be possible to decode it via

echo "<HEX encoded ASCII string>" | xxd -r -p

on the remote log collector (i.e. Splunk) later (and if xxd became installed with vim ).

A better approach for me seems to be to preprocess the log with ausearch -if audit.log -i and collect it with the Splunk app rlog.sh.

U880D
  • 1,146