Parser Extension for auditd logs

Question

Heres my attempt at parser extension: filter {mutate { replace => { "principal.user.user_display_name" => "UNKNOWN" } } grok { match => { "message" => ["ruser=(?[^ ]+)","user (?[^:]+)"] } overwrite => ["principal.user.user_display_name"] on_error=> "User update failed" } statedump {} mutate {merge => {"@output" => "event"}} } I get the following error generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: pipeline failed: filter mutate (3) failed: merge failure: merge source field \"event\" must not be empty (try using replace to provide the value before calling merge)" Can someone help me understand whats wrong? A sample log entry would be as follows: <85>Nov 4 12:07:00 system-name sudo[2700721]: pam_sss(sudo:auth): authentication failure; logname=johnf uid=5354 euid=0 tty=/dev/pts/1 ruser=johnf rhost= user=johnf

kkeshava · Accepted Answer

I ended up with filter {    # initialize the token    # Decode Unicode escape sequences (e.g., \u003c85\u003e -> <85>)    # statedump{}    if ([message] =~ /sudo:auth/ and [message] =~ /=/)    {        mutate {        replace => {            "user" => ""            }        }        kv {            source => "message"            field_split => " "            value_split => "="        }        if  != "" {            mutate {                replace => {                    "event.idm.read_only_udm.principal.user.user_display_name" => "%{user}"                }            }        }          mutate {        merge => {            "@output" => "event"        }    }    }        # statedump{}}

mikewilusz · Answer

I'd recommend using KV extraction for logs that have key/value pairs (much easier than Grok). I updated the parser extension to use that, and also included some missing data from the target field that was causing the issue.

New Parser

filter {

    # initialize the token

    mutate {

        replace => {

            "user" => ""

        }

    }



    kv {

        source => "message"

        field_split => " "

        value_split => "="

    }

    #statedump{}



    if [user] != "" {

        mutate {

            replace => {

                "event.idm.read_only_udm.principal.user.user_display_name" => "%{user}"

            }

        }

    }



    mutate {

        merge => {

            "@output" => "event"

        }

    }

}

Will yield this UDM event

metadata.event_timestamp : "2024-11-04T12:07:00Z"

metadata.event_type : "STATUS_UPDATE"

metadata.vendor_name : "Linux"

metadata.product_name : "AuditD"

metadata.product_event_type : "sudo"

metadata.description : "pam_sss(sudo:auth): authentication failure; logname=johnf uid=5354 euid=0 tty=/dev/pts/1 ruser=johnf rhost= user=johnf"

metadata.log_type : "AUDITD"

principal.hostname : "system-name"

principal.user.user_display_name : "johnf"

intermediary[0].hostname : "system-name"

Hope this helps!

-mike

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded