Skip to content

Instantly share code, notes, and snippets.

@Fabian1976

Fabian1976/auditd.conf

Forked from sakalajuraj/auditd.conf
Created March 14, 2017 10:56
Show Gist options
  • Save Fabian1976/33d54d35c1d8beebfcca96e1ba3888a7 to your computer and use it in GitHub Desktop.
Save Fabian1976/33d54d35c1d8beebfcca96e1ba3888a7 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @sakalajuraj sakalajuraj revised this gist Apr 17, 2015. 2 changed files with 3 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion auditd.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -41,7 +41,8 @@ filter {
    "msg", "%{AUDITD_22}",
    "msg", "%{AUDITD_23}",
    "msg", "%{AUDITD_24}",
    "msg", "%{AUDITD_25}"
    "msg", "%{AUDITD_25}",
    "msg", "%{AUDITD_26}"
    ]
    }
    mutate {
    1 change: 1 addition & 0 deletions custom_parsers
    View file
    Original file line number Diff line number Diff line change
    @@ -25,6 +25,7 @@ AUDITD_6 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{
    AUDITD_7 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" capability=%{INT:audit_capability}\s+scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}
    AUDITD_8 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" name=\"%{DATA:audit_name}\" scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}
    AUDITD_25 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" name=\"%{DATA:audit_name}\" dev=\"%{WORD:audit_dev}\" ino=%{INT:audit_ino} scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{DATA:audit_tclass}
    AUDITD_26 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=%{WORD:audit_comm} dest=%{INT:audit_dest}\s+scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}

    ### SERVICE_START, SERVICE_STOP
    AUDITD_9 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\' comm=%{DATA:audit_comm} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
  2. @sakalajuraj sakalajuraj revised this gist Apr 17, 2015. 1 changed file with 15 additions and 15 deletions.
    30 changes: 15 additions & 15 deletions custom_parsers
    View file
    Original file line number Diff line number Diff line change
    @@ -5,20 +5,20 @@ HOSTNAME2 \b(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z_-]{0

    AUDITDTRIAL node=%{HOSTNAME2} type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\):

    ### USER_START, USER_END, CRED_ACQ, USER_ACCT, CRED_DISSP, CRED_REFR, USER_AUTH, USER_ERR
    AUDITD_1 pid=%{INT:audit_pid} uid=%{INT:audit_uid} auid=%{INT:audit_auid} ses=%{INT:audit_ses} subj=%{DATA:audit_subject} msg=\'op=%{DATA:audit_op} grantors=%{DATA:audit_grantors} acct=\"(%{WORD:user}|\?)\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
    ### USER_START, USER_END, CRED_ACQ, USER_ACCT, CRED_DISP, CRED_REFR, USER_AUTH, USER_ERR
    AUDITD_1 pid=%{INT:audit_pid} uid=%{INT:audit_uid} auid=%{INT:audit_auid} ses=%{INT:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} grantors=%{DATA:audit_grantors} acct=\"(%{WORD:user}|\?)\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### LOGIN
    AUDITD_2 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} subj=%{DATA:audit_subject} old-auid=%{NUMBER:audit_oldauid} auid=%{NUMBER:audit_auid} old-ses=%{NUMBER:audit_oldses} ses=%{NUMBER:audit_ses} res=%{GREEDYDATA:audit_res}
    AUDITD_2 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid}( subj=%{DATA:audit_subject})? old-auid=%{NUMBER:audit_oldauid} auid=%{NUMBER:audit_auid} old-ses=%{NUMBER:audit_oldses} ses=%{NUMBER:audit_ses} res=%{GREEDYDATA:audit_res}

    ### SYSCALL
    AUDITD_3 arch=%{DATA} syscall=%{NUMBER:audit_syscall} success=%{WORD:audit_success} exit=%{INT:audit_exit} a0=%{WORD:audit_a0} a1=%{WORD:audit_a1} a2=%{WORD:audit_a2} a3=%{WORD:audit_a3} items=%{INT:audit_items} ppid=%{INT:audit_ppid} pid=%{INT:audit_pid} auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} euid=%{INT:audit_euid} suid=%{INT:audit_suid} fsuid=%{INT:audit_fsuid} egid=%{INT:audit_egid} sgid=%{INT:audit_sgid} fsgid=%{INT:audit_fsgid} tty=%{DATA:audit_tty} ses=%{INT:audit_ses} comm=\"%{WORD:audit_comm}\" exe=\"%{DATA:audit_exe}\" subj=%{DATA:audit_subj} key=%{DATA:audit_key}

    ### NETFILTER_CFG
    AUDITD_4 table=%{WORD:audit_table} family=%{INT:audit_family} entries=%{INT:audit_entries}

    ### CRYPTO_KEY_USER !!!!
    AUDITD_5 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'op=%{DATA:audit_op} kind=%{WORD:audit_kind} fp=%{DATA:audit_fp} direction=%{DATA:audit_direction} spid=%{INT:audit_spid} suid=%{INT:audit_suid}\s+exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
    ### CRYPTO_KEY_USER
    AUDITD_5 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} kind=%{WORD:audit_kind} fp=%{DATA:audit_fp} direction=%{DATA:audit_direction} spid=%{INT:audit_spid} suid=%{INT:audit_suid}( rport=%{INT:src_port} laddr=%{IPV4:dst_ip} lport=%{INT:dst_port})?\s+exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### AVC
    AUDITD_6 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" path=\"%{DATA:audit_path}\" dev=\"%{WORD:audit_dev}\" ino=%{INT:audit_ino} scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}
    @@ -27,25 +27,25 @@ AUDITD_8 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{
    AUDITD_25 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" name=\"%{DATA:audit_name}\" dev=\"%{WORD:audit_dev}\" ino=%{INT:audit_ino} scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{DATA:audit_tclass}

    ### SERVICE_START, SERVICE_STOP
    AUDITD_9 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\' comm=%{DATA:audit_comm} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
    AUDITD_9 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\' comm=%{DATA:audit_comm} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### CRYPTO_SESSION
    AUDITD_10 pid=%{INT:audit_pid} uid=%{INT:audit_uid} auid=%{INT:audit_auid} ses=%{INT:audit_ses} subj=%{DATA:audit_subject} msg=\'op=%{DATA:audit_op} direction=%{DATA:audit_direction} cipher=%{DATA:audit_cipher} ksize=%{INT:audit_ksize} mac=%{DATA:audit_mac} pfs=%{DATA:audit_pfs} spid=%{INT:audit_spid} suid=%{INT:audit_suid} rport=%{INT:src_port} laddr=%{IPV4:dst_ip} lport=%{INT:dst_port}\s+exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{WORD:audit_terminal} res=%{DATA:audit_res}\'
    AUDITD_10 pid=%{INT:audit_pid} uid=%{INT:audit_uid} auid=%{INT:audit_auid} ses=%{INT:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} direction=%{DATA:audit_direction} cipher=%{DATA:audit_cipher} ksize=%{INT:audit_ksize} mac=%{DATA:audit_mac} pfs=%{DATA:audit_pfs} spid=%{INT:audit_spid} suid=%{INT:audit_suid} rport=%{INT:src_port} laddr=%{IPV4:dst_ip} lport=%{INT:dst_port}\s+exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'


    ### USER_LOGIN, USER_LOGOUT, USER_CHAUTHOK, ADD_USER, ADD_GROUP, USER_ERR
    AUDITD_11 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'op=%{DATA:audit_op} id=%{INT:audit_id} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
    AUDITD_12 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'op=%{DATA:audit_op} acct=\"%{DATA:user}\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
    AUDITD_11 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} id=%{INT:audit_id} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
    AUDITD_12 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} acct=\"%{DATA:user}\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### USER_ROLE_CHANGE
    AUDITD_13 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'pam: default-context=%{DATA:audit_defaultcontext} selected-context=%{DATA:audit_selectedcontext} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
    AUDITD_13 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'pam: default-context=%{DATA:audit_defaultcontext} selected-context=%{DATA:audit_selectedcontext} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### USER_CMD
    AUDITD_14 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'cwd=%{DATA:audit_cwd} cmd=%{DATA:audit_cmd} terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
    AUDITD_14 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'cwd=%{DATA:audit_cwd} cmd=%{DATA:audit_cmd} terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### USER_AVC
    AUDITD_15 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \}\s+for auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} path=\"%{DATA:audit_path}\" cmdline=\"%{DATA:audit_cmdline}\" scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}\s+exe=\"%{DATA:audit_exe}\" sauid=%{INT:audit_sauid} hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal}\'
    AUDITD_16 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'avc:\s+%{DATA:audit_avcmsg}\s+exe=\"%{DATA:audit_exe}\" sauid=%{INT:audit_sauid} hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal}\'
    AUDITD_15 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \}\s+for auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} path=\"%{DATA:audit_path}\" cmdline=\"%{DATA:audit_cmdline}\" scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}\s+exe=\"%{DATA:audit_exe}\" sauid=%{INT:audit_sauid} hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal}\'
    AUDITD_16 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'avc:\s+%{DATA:audit_avcmsg}\s+exe=\"%{DATA:audit_exe}\" sauid=%{INT:audit_sauid} hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal}\'

    ### ANOM_PROMISCUOUS
    AUDITD_17 dev=%{WORD:audit_dev} prom=%{INT:audit_prom} old_prom=%{INT:audit_oldprom} auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} ses=%{INT:audit_ses}
    @@ -54,10 +54,10 @@ AUDITD_17 dev=%{WORD:audit_dev} prom=%{INT:audit_prom} old_prom=%{INT:audit_oldp
    AUDITD_18 enforcing=%{INT:audit_enforcing} old_enforcing=%{INT:audit_oldenforcing} auid=%{INT:audit_auid} ses=%{INT:audit_ses}

    ### ANON_ABEND
    AUDITD_19 auid=%{NUMBER:audit_auid} uid=%{NUMBER:audit_uid} gid=%{INT:audit_gid} ses=%{INT:audit_ses} subj=%{DATA:audit_subject} pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" reason=\"%{DATA:audit_reason}\" sig=%{INT:audit_sig}
    AUDITD_19 auid=%{NUMBER:audit_auid} uid=%{NUMBER:audit_uid} gid=%{INT:audit_gid} ses=%{INT:audit_ses}( subj=%{DATA:audit_subject})? pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" reason=\"%{DATA:audit_reason}\" sig=%{INT:audit_sig}

    ### USER_MGMT
    AUDITD_20 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'op=%{DATA:audit_op} grp=\"%{WORD:audit_id}\" acct=\"%{DATA:user}\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
    AUDITD_20 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}( subj=%{DATA:audit_subject})? msg=\'op=%{DATA:audit_op} grp=\"%{WORD:audit_id}\" acct=\"%{DATA:user}\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### MAC_POLICY_LOADED
    AUDITD_21 policy loaded auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}
  3. @sakalajuraj sakalajuraj created this gist Apr 16, 2015.
    64 changes: 64 additions & 0 deletions auditd.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,64 @@
    # Content of the file /etc/logstash/conf.d/auditd.conf
    # Tested on the CentOS 7 auditspd logs forwarded to logstash via rsyslog

    input {
    syslog {
    type => AUDITD
    port => xxxx
    host => "xxx.xxx.xxx.xxx"
    }
    }

    filter {
    if [type] == "AUDITD" {
    if [program] == "audispd" {
    grok {
    match => [ "message", "%{AUDITDTRIAL}%{GREEDYDATA:msg}" ]
    }
    grok {
    match => [
    "msg", "%{AUDITD_1}",
    "msg", "%{AUDITD_2}",
    "msg", "%{AUDITD_3}",
    "msg", "%{AUDITD_4}",
    "msg", "%{AUDITD_5}",
    "msg", "%{AUDITD_6}",
    "msg", "%{AUDITD_7}",
    "msg", "%{AUDITD_8}",
    "msg", "%{AUDITD_9}",
    "msg", "%{AUDITD_10}",
    "msg", "%{AUDITD_11}",
    "msg", "%{AUDITD_12}",
    "msg", "%{AUDITD_13}",
    "msg", "%{AUDITD_14}",
    "msg", "%{AUDITD_15}",
    "msg", "%{AUDITD_16}",
    "msg", "%{AUDITD_17}",
    "msg", "%{AUDITD_18}",
    "msg", "%{AUDITD_19}",
    "msg", "%{AUDITD_20}",
    "msg", "%{AUDITD_21}",
    "msg", "%{AUDITD_22}",
    "msg", "%{AUDITD_23}",
    "msg", "%{AUDITD_24}",
    "msg", "%{AUDITD_25}"
    ]
    }
    mutate {
    remove_field => [ "msg" ]
    }
    }
    }
    }

    output {
    if [type] == "AUDITD" {
    elasticsearch {
    flush_size => 2000
    protocol => "transport"
    cluster => "xxxxxxxx"
    host => "xxx.xxx.xxx.xxx"
    index => "logstash-syslog-%{+YYYY.MM.dd}"
    }
    }
    }
    72 changes: 72 additions & 0 deletions custom_parsers
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,72 @@
    # Content of the file /opt/logstash/patterns/custom
    # Some improvements needed, but working

    HOSTNAME2 \b(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z_-]{0,62}))*(\.?|\b)

    AUDITDTRIAL node=%{HOSTNAME2} type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\):

    ### USER_START, USER_END, CRED_ACQ, USER_ACCT, CRED_DISSP, CRED_REFR, USER_AUTH, USER_ERR
    AUDITD_1 pid=%{INT:audit_pid} uid=%{INT:audit_uid} auid=%{INT:audit_auid} ses=%{INT:audit_ses} subj=%{DATA:audit_subject} msg=\'op=%{DATA:audit_op} grantors=%{DATA:audit_grantors} acct=\"(%{WORD:user}|\?)\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### LOGIN
    AUDITD_2 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} subj=%{DATA:audit_subject} old-auid=%{NUMBER:audit_oldauid} auid=%{NUMBER:audit_auid} old-ses=%{NUMBER:audit_oldses} ses=%{NUMBER:audit_ses} res=%{GREEDYDATA:audit_res}

    ### SYSCALL
    AUDITD_3 arch=%{DATA} syscall=%{NUMBER:audit_syscall} success=%{WORD:audit_success} exit=%{INT:audit_exit} a0=%{WORD:audit_a0} a1=%{WORD:audit_a1} a2=%{WORD:audit_a2} a3=%{WORD:audit_a3} items=%{INT:audit_items} ppid=%{INT:audit_ppid} pid=%{INT:audit_pid} auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} euid=%{INT:audit_euid} suid=%{INT:audit_suid} fsuid=%{INT:audit_fsuid} egid=%{INT:audit_egid} sgid=%{INT:audit_sgid} fsgid=%{INT:audit_fsgid} tty=%{DATA:audit_tty} ses=%{INT:audit_ses} comm=\"%{WORD:audit_comm}\" exe=\"%{DATA:audit_exe}\" subj=%{DATA:audit_subj} key=%{DATA:audit_key}

    ### NETFILTER_CFG
    AUDITD_4 table=%{WORD:audit_table} family=%{INT:audit_family} entries=%{INT:audit_entries}

    ### CRYPTO_KEY_USER !!!!
    AUDITD_5 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'op=%{DATA:audit_op} kind=%{WORD:audit_kind} fp=%{DATA:audit_fp} direction=%{DATA:audit_direction} spid=%{INT:audit_spid} suid=%{INT:audit_suid}\s+exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### AVC
    AUDITD_6 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" path=\"%{DATA:audit_path}\" dev=\"%{WORD:audit_dev}\" ino=%{INT:audit_ino} scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}
    AUDITD_7 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" capability=%{INT:audit_capability}\s+scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}
    AUDITD_8 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" name=\"%{DATA:audit_name}\" scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}
    AUDITD_25 avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \} for\s+pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" name=\"%{DATA:audit_name}\" dev=\"%{WORD:audit_dev}\" ino=%{INT:audit_ino} scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{DATA:audit_tclass}

    ### SERVICE_START, SERVICE_STOP
    AUDITD_9 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\' comm=%{DATA:audit_comm} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### CRYPTO_SESSION
    AUDITD_10 pid=%{INT:audit_pid} uid=%{INT:audit_uid} auid=%{INT:audit_auid} ses=%{INT:audit_ses} subj=%{DATA:audit_subject} msg=\'op=%{DATA:audit_op} direction=%{DATA:audit_direction} cipher=%{DATA:audit_cipher} ksize=%{INT:audit_ksize} mac=%{DATA:audit_mac} pfs=%{DATA:audit_pfs} spid=%{INT:audit_spid} suid=%{INT:audit_suid} rport=%{INT:src_port} laddr=%{IPV4:dst_ip} lport=%{INT:dst_port}\s+exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{WORD:audit_terminal} res=%{DATA:audit_res}\'


    ### USER_LOGIN, USER_LOGOUT, USER_CHAUTHOK, ADD_USER, ADD_GROUP, USER_ERR
    AUDITD_11 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'op=%{DATA:audit_op} id=%{INT:audit_id} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'
    AUDITD_12 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'op=%{DATA:audit_op} acct=\"%{DATA:user}\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### USER_ROLE_CHANGE
    AUDITD_13 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'pam: default-context=%{DATA:audit_defaultcontext} selected-context=%{DATA:audit_selectedcontext} exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### USER_CMD
    AUDITD_14 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'cwd=%{DATA:audit_cwd} cmd=%{DATA:audit_cmd} terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### USER_AVC
    AUDITD_15 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'avc:\s+%{WORD:audit_avcaction}\s+\{ %{WORD:audit_avcop} \}\s+for auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} path=\"%{DATA:audit_path}\" cmdline=\"%{DATA:audit_cmdline}\" scontext=%{DATA:audit_scontext} tcontext=%{DATA:audit_tcontext} tclass=%{WORD:audit_tclass}\s+exe=\"%{DATA:audit_exe}\" sauid=%{INT:audit_sauid} hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal}\'
    AUDITD_16 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'avc:\s+%{DATA:audit_avcmsg}\s+exe=\"%{DATA:audit_exe}\" sauid=%{INT:audit_sauid} hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal}\'

    ### ANOM_PROMISCUOUS
    AUDITD_17 dev=%{WORD:audit_dev} prom=%{INT:audit_prom} old_prom=%{INT:audit_oldprom} auid=%{INT:audit_auid} uid=%{INT:audit_uid} gid=%{INT:audit_gid} ses=%{INT:audit_ses}

    ### MAC_STATUS
    AUDITD_18 enforcing=%{INT:audit_enforcing} old_enforcing=%{INT:audit_oldenforcing} auid=%{INT:audit_auid} ses=%{INT:audit_ses}

    ### ANON_ABEND
    AUDITD_19 auid=%{NUMBER:audit_auid} uid=%{NUMBER:audit_uid} gid=%{INT:audit_gid} ses=%{INT:audit_ses} subj=%{DATA:audit_subject} pid=%{INT:audit_pid} comm=\"%{WORD:audit_comm}\" reason=\"%{DATA:audit_reason}\" sig=%{INT:audit_sig}

    ### USER_MGMT
    AUDITD_20 pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses} subj=%{DATA:audit_subject} msg=\'op=%{DATA:audit_op} grp=\"%{WORD:audit_id}\" acct=\"%{DATA:user}\" exe=\"%{DATA:audit_exe}\" hostname=%{DATA} addr=(%{IPV4:src_ip}|\?) terminal=%{DATA:audit_terminal} res=%{DATA:audit_res}\'

    ### MAC_POLICY_LOADED
    AUDITD_21 policy loaded auid=%{NUMBER:audit_auid} ses=%{NUMBER:audit_ses}

    ### EXECVE
    AUDITD_22 argc=%{INT:audit_argc} a0=\"%{DATA:audit_a0}\"%{GREEDYDATA:audit_args}

    ### CWD
    AUDITD_23 cwd=\"%{DATA:audit_cwd}\"

    ### PATH
    AUDITD_24 item=%{INT:audit_item} name=\"?%{DATA:audit_name}\"? inode=%{INT:audit_inode} dev=%{DATA:audit_dev} mode=%{INT:audit_mode} ouid=%{INT:audit_ouid} ogid=%{INT:audit_ogid} rdev=%{DATA:audit_rdev} obj=%{DATA:audit_obj} nametype=%{WORD:audit_nametype}