Voltar
-
Título
Linux-Audit-Parser Configuration Update -
Descrição
The following updates should be made in the Syslog-ng Premium Edition 7.0.32 Admin Guide regarding to the Linux audit parser.
-
Causa
Syslog-ng Premium Edition Admin Guide requires update. -
Resolução
The following updates should be noted when configuring the linux-audit-parser() settings in Syslog-ng PE.
1. The admin guide states that syslog-ng automatically decodes the "arch c000003e value becomes x86_64". That statement is incorrect. The "arch" field has not yet been developed to be automatically decoded.The list of fields which are automatically decoded by syslog-ng PE are detailed in the admin guide.
https://support.oneidentity.com/technical-documents/syslog-ng-premium-edition/7.0.32/administration-guide/89#TOPIC-1925673
2. It is a requirement that the "prefix" is a mandatory setup. To be able to parse the Linux audit messages, the prefix(.SDATA.my-parsed-data.) option must be used.parser p_auditd {
linux-audit-parser (prefix("(.SDATA.my-parsed-data.) "));
};
3. It is a requirement that the messages should be sent out in an IETF syslog format (using the syslog() destination driver). Note that the parsed values are sent out through a structured data that is only supported by IETF format.