Parser Extension for auditd logs

Question

Heres my attempt at parser extension: filter {mutate { replace => { "principal.user.user_display_name" => "UNKNOWN" } } grok { match => { "message" => ["ruser=(?[^ ]+)","user (?[^:]+)"] } overwrite => ["principal.user.user_display_name"] on_error=> "User update failed" } statedump {} mutate {merge => {"@output" => "event"}} } I get the following error generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: pipeline failed: filter mutate (3) failed: merge failure: merge source field \"event\" must not be empty (try using replace to provide the value before calling merge)" Can someone help me understand whats wrong? A sample log entry would be as follows: <85>Nov 4 12:07:00 system-name sudo[2700721]: pam_sss(sudo:auth): authentication failure; logname=johnf uid=5354 euid=0 tty=/dev/pts/1 ruser=johnf rhost= user=johnf

kkeshava · Accepted Answer

I ended up with filter {    # initialize the token    # Decode Unicode escape sequences (e.g., \u003c85\u003e -> <85>)    # statedump{}    if ([message] =~ /sudo:auth/ and [message] =~ /=/)    {        mutate {        replace => {            "user" => ""            }        }        kv {            source => "message"            field_split => " "            value_split => "="        }        if  != "" {            mutate {                replace => {                    "event.idm.read_only_udm.principal.user.user_display_name" => "%{user}"                }            }        }          mutate {        merge => {            "@output" => "event"        }    }    }        # statedump{}}

mikewilusz · Answer

I'd recommend using KV extraction for logs that have key/value pairs (much easier than Grok). I updated the parser extension to use that, and also included some missing data from the target field that was causing the issue.

New Parser

filter {
    # initialize the token
    mutate {
        replace => {
            "user" => ""
        }
    }

    kv {
        source => "message"
        field_split => " "
        value_split => "="
    }
    #statedump{}

    if [user] != "" {
        mutate {
            replace => {
                "event.idm.read_only_udm.principal.user.user_display_name" => "%{user}"
            }
        }
    }

    mutate {
        merge => {
            "@output" => "event"
        }
    }
}

Will yield this UDM event

metadata.event_timestamp : "2024-11-04T12:07:00Z"
metadata.event_type : "STATUS_UPDATE"
metadata.vendor_name : "Linux"
metadata.product_name : "AuditD"
metadata.product_event_type : "sudo"
metadata.description : "pam_sss(sudo:auth): authentication failure; logname=johnf uid=5354 euid=0 tty=/dev/pts/1 ruser=johnf rhost= user=johnf"
metadata.log_type : "AUDITD"
principal.hostname : "system-name"
principal.user.user_display_name : "johnf"
intermediary[0].hostname : "system-name"

Hope this helps!

-mike

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded