beta_praudit = { # The name of the log format log.format.format_label = "praudit Log Format (BETA)" log.miscellaneous.log_data_type = "other" log.miscellaneous.log_format_type = "other" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, 'header,[0-9]+,[0-9]+,[^,]+,[^,]*,[A-Z][a-z][a-z] [A-Z][a-z][a-z] [0-9][0-9] [0-9]+:[0-9][0-9]:[0-9][0-9].* [0-9]+ msec') or matches_regular_expression(volatile.log_data_line, 'header,[0-9]+,[0-9]+,[^,]+,[^,]*,[^,]*,[A-Z][a-z][a-z] [A-Z][a-z][a-z] [0-9][0-9] [0-9]+:[0-9][0-9]:[0-9][0-9].* [0-9]+ msec') ` log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" audit_event_id = "" audit_event_id_modifier = "" invariant_audit_id = "" effective_user_id = "" effective_group_id = "" real_user_id = "" real_group_id = "" process_id = "" audit_session_id = "" terminal_id = "" text = "" return_message = "" return_code = "" path = "" # attribute access_mode = "" owner_user_id = "" owner_group_id = "" file_system_id = "" inode_id = "" device_id = "" # exec_args exec_args = "" } # log.fields log.parsing_filters.parse = ` # # This supports praudit format with one event type per line, and in -l format with all events concatenated on a line. # This also supports Snare Solaris praudit lines, which concatenate all these pieces, like this: # #<14> Jan 10 18:24:19 columbo SolarisBSM 1 header,151,2,execve(2),,Tue Jan 10 18:24:19 CLST 2005, + 699 msec path,/usr/sbin/in.telnetd attribute,100555,root,bin,85,9499,0 exec_args,1,in.telnetd subject,-2,root,root,root,root,18335,0,0 0 0.0.0.0 return,success,0 sequence,23438 snareseq,3 # #header,94,2,AUE_ssh,,Fri Jan 28 16:53:58 CST 2005, + 510 msec if (matches_regular_expression(current_log_line(), 'header,[0-9]*,[0-9]*,([^,]*),([^,]*),[A-Z][a-z][a-z] ([A-Z][a-z][a-z]) ([0-9][0-9]) ([0-9]+:[0-9][0-9]:[0-9][0-9]) [A-Z]+ ([0-9]+),')) then ( set_collected_field('', 'audit_event_id', $1); set_collected_field('', 'id_modifier', $2); set_collected_field('', 'date', $4 . '/' . $3 . '/' . $6); set_collected_field('', 'time', $5); ); #header,215,4,execve(2),sp,fuddoi.hs.ltsr.xyz,Sun Jun 05 21:12:28 2003, + 0 msec,path,/usr/sbin/audit,attribute,100555,root,bin,118,848296,0,sensitivity label,ADMIN_LOW,use of privilege,successful use of priv,proc_dumpcore,subject,star,root,sysadmin,secadmin,sysadmin,743,560,0 0 fuddoi.hs.ltsr.xyz,sensitivity label,ADMIN_HIGH,return,success,0 else if (matches_regular_expression(current_log_line(), '^header,[0-9]*,[0-9]*,([^,]*),([^,]*),[^,]*,[A-Z][a-z][a-z] ([A-Z][a-z][a-z]) ([0-9][0-9]) ([0-9]+:[0-9][0-9]:[0-9][0-9]) ([0-9]+),')) then ( set_collected_field('', 'audit_event_id', $1); set_collected_field('', 'id_modifier', $2); set_collected_field('', 'date', $4 . '/' . $3 . '/' . $6); set_collected_field('', 'time', $5); ); #subject,beckford,beckford,sysadmin,beckford,sysadmin,550,550,0 2190 192.168.254.11 if (matches_regular_expression(current_log_line(), 'subject,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([0-9]*),([0-9]*),([^ ]*)')) then ( set_collected_field('', 'invariant_audit_id', $1); set_collected_field('', 'effective_user_id', $2); set_collected_field('', 'effective_group_id', $3); set_collected_field('', 'real_user_id', $4); set_collected_field('', 'real_group_id', $5); set_collected_field('', 'process_id', $6); set_collected_field('', 'audit_session_id', $7); set_collected_field('', 'terminal_id', $8); ); #attribute,100555,root,bin,85,9499,0 if (matches_regular_expression(current_log_line(), 'attribute,([0-9]*),([^,]*),([^,]*),([0-9]*),([0-9]*),([0-9]*)')) then ( set_collected_field('', 'access_mode', $1); set_collected_field('', 'owner_user_id', $2); set_collected_field('', 'owner_group_id', $3); set_collected_field('', 'file_system_id', $4); set_collected_field('', 'inode_id', $5); set_collected_field('', 'device_id', $6); ); #exec_args,3,sh,-c,/usr/ucb/mail if (matches_regular_expression(current_log_line(), 'exec_args,[0-9]*,([^ ]*)')) then ( set_collected_field('', 'exec_args', $1); ); #text,invalid password or publickey if (matches_regular_expression(current_log_line(), 'text,([^, ]*)')) then ( set_collected_field('', 'text', $1); ); # path if (matches_regular_expression(current_log_line(), 'path,([^, ]*)')) then ( set_collected_field('', 'path', $1); ); #return,failure: Interrupted system call,-1 if (matches_regular_expression(current_log_line(), 'return,([^,]*),(-*[0-9]+)')) then ( set_collected_field('', 'return_message', $1); set_collected_field('', 'return_code', $2); accept_collected_entry('', false); ); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" audit_event_id = "" audit_event_id_modifier = "" invariant_audit_id = "" effective_user_id = "" effective_group_id = "" real_user_id = "" real_group_id = "" process_id = "" audit_session_id = "" terminal_id = "" text = "" return_message = "" return_code = "" path = "" access_mode = "" owner_user_id = "" owner_group_id = "" file_system_id = "" inode_id = "" device_id = "" exec_args = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "page" sessions_visitor_id_field = "hostname" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = false requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" audit_event_id = "" audit_event_id_modifier = "" invariant_audit_id = "" effective_user_id = "" effective_group_id = "" real_user_id = "" real_group_id = "" process_id = "" audit_session_id = "" terminal_id = "" text = "" return_message = "" return_code = "" } # report_groups } # create_profile_wizard_options } # beta_praudit