title | section | header | footer |
---|---|---|---|
laurel |
8 |
System Administration Utilities |
laurel 0.6.4 |
laurel(8) -- transform, enrich Linux audit logs
laurel
is an auditd(8)
plug-in that parses Linux audit events,
enriches them with local information, and transforms them into a
JSON Lines-based output format intended for consumption by log
processing and SIEM software.
-c FILE, --config=FILE : path to configuration file (default: unset)
-d, --dry-run : Only parse configuration and exit
-h, --help : Print short help text and exit
-v, --version : Print version and exit
laurel
is typically configured to be spawned by auditd(8)
itself or by
audispd(8)
(for 2.x auditd versions). All audit events are fed to
laurel
via its standard input channel.
Sample configuration file /etc/audit/plugins.d/laurel.conf
:
active = yes
direction = out
type = always
format = string
path = /usr/sbin/laurel
args = --config /etc/laurel/config.toml
An alternative setup consists of an AF_UNIX socket to which
auditd(8)
writes events. A connection is then established by
laurel
(see input
setting below). In this case, the operator is
responsible for starting and restarting laurel
.
Example configuration file:
active = yes
direction = out
path = builtin_af_unix
type = builtin
args = 0600 /var/run/laurel.sock
format = string
Configuration of laurel
itself is done through a single
configuration file in TOML format.
This section contains basic operation parameters.
user
:laurel
is started asroot
byauditd
, but it drops to a dedicated user as soon as possible. Default: unsetdirectory
: The base directory into which all files are written. Default:.
(current directory)statusreport-period
: How often stats are written to Syslog, in seconds. Default: unsetinput
:laurel
can consume audit events from standard input or connect to a listening socket specified asunix:/path/to/socket
at start. Defaulkt:stdin
marker
: A string that is written to the log on startup and wheneverlaurel
writes a status report. Default: none
This section describes the main audit log file. laurel
performs its
own log file rotation, just like auditd(8)
.
file
: Filename for the audit log file. Default:audit.log
size
: Size in bytes after which the log file is rotated. Default: 10MiBgenerations
: Number of generations to keep after rotation. Default: 5read-users
: List of users that are granted read access to the log file using POSIX ACLs. Default: emptyline-prefix
: A string that is prepended to every line. Default: unset
This section describes the log file for filtered-out log events (see
below). The file
, size
, generations
, read-users
, line-prefix
configuration items work just like for the audit log.
execve-argv
: The list ofEXECVE.a*
fields are transformed to anARGV
list orARGV_STR
string. Set toarray
,string
(or both). Default:array
execve-argv-limit-bytes
: Arguments are cut out of the middle long argument lists inEXECVE.ARGV
orEXECVE.ARGV_STR
so that this limit is not exceeded. Default: unset
Options that can be configured here correspond to what auditd(8)
does when configured with log_format=ENRICHED
.
userdb
: Add translations foruid
andgid
fields. Default: falseuniversal
: Add translations for everything else:SYSCALL.arch
,SYSCALL.syscall
,SOCKADDR.saddr
drop-raw
: Drop raw (numeric) syscall, arch, UID, GID values if they are translated. Default: false
Options that can be configured here actually add information to events
execve-env
: A list of environment variables to dump forexec
events. Default:["LD_PRELOAD", "LD_LIBRARY_PATH"]
container
: Add container information for processes running within container runtimes. Default: truesystemd
: Add systemd cgroup information for processes running within systemd services. Default: truepid
: Add context information for process IDs. Default: truescript
: If anexec
syscall spawns a script (as opposed to a binary), add aSCRIPT
entry to theSYSCALL
record. A script is assumed if the firstPATH
entry does not correspond to file mentioned inSYSCALL.exe
. Default: trueuser-groups
: Add groups that the user ("uid") is a member of. Default: trueprefix
: Add a prefix to enriched fields; this may be useful if logs are onsumed by analysis software that doesn't properly understand uppercase and lowercase JSON object fields as identical. This setting does not affect enriched fields passed in fromauditd(8)
. Default: unset
Labels can be attached to processes and are added to any event associated with those processes. These labels can be propagated from parent to child processes.
label-exe.<regexp> = <label-name>
: Regular expressions/label mappings applied to binary executables (SYSCALL.exe
) onexecve
calls. Default: nonelabel-argv.<regexp> = <label-name>
: Regular expressions/label mappings applied to the command line (EXECVE.a*
) onexecve
calls. Default: nonelabel-script.<regexp> = <label-name>
: Regular expressions/label mappings applied to scripts (SYSCALL.SCRIPT
, seeenrich.script
description above) onexec
calls. Default: nonelabel-keys
: A list of keys that are applied as a process label, seeauditctl(8)
's-k
option. Default: noneunlabel-exe.<regexp> = <label-name>
: Likelabel-exe
, but for removing labelsunlabel-argv.<regexp> = <label-name>
: Likelabel-argv
, but for removing labelsunlabel-script.<regexp> = <label-name>
: Likelabel-script
, but for removing labelslabel-argv-count
Number of command line arguments that are considered forlabel-argv
,unlabel-argv
. Default: 32label-argv-bytes
Number of bytes that are considered forlabel-argv
,unlabel-argv
. Default: 4096propagate-labels
: List of labels that are propagated to child processes. Default: empty
Filters make laurel
drop entire events from the log file while still
using them for internal processing such as process tracking.
filter-keys
: A list of strings that are matched againstSYSCALL.key
to drop the event. Default: emptyfilter-null-keys
: Filter events without specified key. Default: falsefilter-labels
: A list of strings that are matched against process labels. Default: emptyfilter-raw-lines
: A list of regular expression that are matched against individual input lines as written byauditd(8)
. Events that contain such lines are then filtered. Default: emptyfilter-action
: What to do with filtered events?drop
orlog
to the filterlog defined above.keep-first-per-process
: Keep the first event observed for any given process even if it would be filtered otherwise. This should only be turned off if reproducible process tracking or process tree reconstruction is not required. Default: true
SIGHUP
causes laurel
to process any buffered input and restart. It
can be used to reconfigure laurel
without having restarting
auditd(8)
which would likely lead to lost audit messages.
auditd(8)
, auditd-plugins(5)
, audit.rules(7)
, laurel-about(7)
, laurel-audit-rules(7)
- Hilko Bengen <[email protected]>
- Sergej Schmidt <[email protected]>