Here is my data (linux_audit):
type=EXECVE msg=audit(1567181894.530:909): argc=2 a0="cat" a1="audit.log"
type=EXECVE msg=audit(1567181796.532:830): argc=4 a0="sudo" a1="chmod" a2="+x" a3="commandandcontrol.sh"
type=EXECVE msg=audit(1567181863.387:865): argc=1 a0="/usr/bin/hostname"
I'm trying to create a field with a value that is the full command, concatenating the arguments. Here would be the values for this logs:
cat audit.log
sudo chmod -x commandandcontrol.sh
/usr/bin/hostname
The tricky part is creating a field from an unknown number of arguments. Right now, I'm doing rex commands in SPL, but it'd be nice to use an eval or regular expressions to create this field in props/transforms.
↧