Auditd Logs (Beta)
Stream auditd logs directly to Panther over HTTPS
Overview
Auditd log ingestion is in open beta starting with Panther version 1.76, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther supports ingesting auditd logs, created by Linux Audit Daemon, by streaming them to an HTTP Source, after they are forwarded with Fluent Bit.
How to onboard auditd audit logs to Panther
Step 1: Create a new auditd log source in Panther
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Auditd," then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
When setting the Stream Type for the source, we recommend choosing JSON, as it corresponds to
Format json_lines
in the Fluent Bit configuration in the next step.When setting the Auth method for the source, we recommend using Shared Secret.
Step 2: Configure Fluent Bit
Follow the Getting Started with Fluent Bit instructions to install Fluent Bit as a service.
Create a Fluent Bit configuration file.
You must use
winevtlog
. Other modules are deprecated and will not work.[INPUT]
variables:Name: Set this to to
tail
andPath: Set this as the path to your log file.
[OUTPUT]
variables:Host: Enter your Panther URL.
Example:
logs.instance-name.runpanther.net
URI: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with
/http/
.Example:
/http/cb015ee4-543c-4489-9f4b-testaa16d7a
Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
Name: Set to
http
.TLS: Set to
ON
.Port: Set to
443
.
[SERVICE] Flush 1 [INPUT] Name tail Path /var/log/audit/audit.log [OUTPUT] Name http Match * Host logs.instance-name.runpanther.net Port 443 URI /http/cb015ee4-543c-4489-9f4b-testaa16d7a Header x-sender-header {YOUR_SECRET_HERE} Format json_lines TLS On TLS.Verify On
Start Fluent Bit, passing the path to your new config file.
Supported log types
Required fields in the schema are listed as "required: true"
Linux.Auditd
The following defines the Linux audit log schema:
schema: Linux.Auditd
description: Linux audit log
referenceURL: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
fields:
- name: type
required: true
description: Audit Record Type. See https://access.redhat.com/articles/4409591#audit-record-types-2 for a full list
type: string
- name: a0
description: Records the first argument of the system call, encoded in hexadecimal notation.
type: string
- name: a1
description: Records the second argument of the system call, encoded in hexadecimal notation.
type: string
- name: a2
description: Records the third argument of the system call, encoded in hexadecimal notation.
type: string
- name: a3
description: Records the fourth argument of the system call, encoded in hexadecimal notation.
type: string
- name: acct
description: Record the user account name under which the process was executed.
type: string
- name: action
description: Records the action taking place in an integrity policy rule.
type: string
- name: appraise_type
description: Records the appraisal type used in an integrity policy rule.
type: string
- name: addr
description: Records the IPv4 or IPv6 address. This field usually follows a hostname field and contains the address the host name resolves to.
type: string
indicators:
- ip
- name: arch
description: Records information about the CPU architecture of the system, encoded in hexadecimal notation.
type: string
- name: calipso_doi
description: Records the DOI of an RFC5570 Calipso entry.
type: string
- name: calipso_type
description: Records the type of an RFC5570 Calipso entry.
type: string
- name: capability
description: Records the number of bits that were used to set a particular Linux capability. For more information on Linux capabilities, see the capabilities(7) man page.
type: string
- name: cap_fe
description: Records data related to the setting of the effective file system-based capability bit.
type: string
- name: cap_fi
description: Records data related to the setting of an inherited file system-based capability.
type: string
- name: cap_fp
description: Records data related to the setting of a permitted file system-based capability.
type: string
- name: cap_fver
description: Records the version of a file system-based capability.
type: string
- name: cap_pe
description: Records data related to the setting of an effective process-based capability.
type: string
- name: cap_pi
description: Records data related to the setting of an inherited process-based capability.
type: string
- name: cap_pp
description: Records data related to the setting of a permitted process-based capability.
type: string
- name: cause
description: Records the cause in an integrity policy rule.
type: string
- name: cgroup
description: Records the path to the cgroup that contains the process at the time the Audit event was generated.
type: string
- name: cmd
description: Records the entire command line that is executed. This is useful in case of shell interpreters where the exe field records, for example, /bin/bash as the shell interpreter and the cmd field records the rest of the command line that is executed, for example helloworld.sh --help.
type: string
- name: code
description: Records the seccomp action.
type: string
- name: comm
description: Records the command that is executed. This is useful in case of shell interpreters where the exe field records, for example, /bin/bash as the shell interpreter and the comm field records the name of the script that is executed, for example helloworld.sh.
type: string
- name: compat
description: Records the syscall compatibility mode in a seccomp action.
type: string
- name: cwd
description: Records the path to the directory in which a system call was invoked.
type: string
- name: data
description: Records data associated with TTY records.
type: string
- name: dev
description: Records the minor and major ID of the device that contains the file or directory recorded in an event.
type: string
- name: devmajor
description: Records the major device ID.
type: string
- name: devminor
description: Records the minor device ID.
type: string
- name: exe
description: Records the path to the executable that was used to invoke the analyzed process.
type: string
- name: exit
description: 'Records the exit code returned by a system call. This value varies by system call. You can interpret the value to its human-readable equivalent with the following command: ausearch --interpret --exit exit_code'
type: string
- name: family
description: Records the type of address protocol that was used, either IPv4 or IPv6.
type: string
- name: feature
description: Records the audit feature being set or cleared.
type: string
- name: file
description: Records the file involved in an integrity measurement.
type: string
- name: filetype
description: Records the type of the file.
type: string
- name: flags
description: Records the file system name flags.
type: string
- name: fowner
description: Records the file owner used in an integrity policy rule.
type: string
- name: fsgid
description: Records the file system group ID of the user who started the analyzed process.
type: string
- name: fsmagic
description: Records the filesystem magic used in an integrity policy rule.
type: string
- name: fsuuid
description: Records the fsuuid used in an integrity policy rule.
type: string
- name: fsuid
description: Records the file system user ID of the user who started the analyzed process.
type: string
- name: func
description: Records the function involved in an integrity policy rule.
type: string
- name: hash
description: Records the hash of a file involved in an integrity measurement.
type: string
- name: hostname
description: Records the host name.
type: string
indicators:
- hostname
- name: icmptype
description: Records the type of a Internet Control Message Protocol (ICMP) package that is received. Audit messages containing this field are usually generated by iptables.
type: string
- name: id
description: Records the user ID of an account that was changed.
type: string
- name: inode
description: Records the inode number associated with the file or directory recorded in an Audit event.
type: string
- name: inode_gid
description: Records the group ID of the inode's owner.
type: string
- name: inode_uid
description: Records the user ID of the inode's owner.
type: string
- name: ip
description: Records the instruction pointer in a seccomp action.
type: string
indicators:
- ip
- name: items
description: Records the number of path records that are attached to this record.
type: string
- name: key
description: Records the user defined string associated with a rule that generated a particular event in the Audit log.
type: string
- name: list
description: 'Records the Audit rule list ID. The following is a list of known IDs: 0 — user, 1 — task, 4 — exit, 5 — exclude'
type: string
- name: mode
description: Records the file or directory permissions, encoded in numerical notation.
type: string
- name: msgtype
description: Records the message type that is returned in case of a user-based AVC denial. The message type is determined by D-Bus.
type: string
- name: name
description: Records the full path of the file or directory that was passed to the system call as an argument.
type: string
- name: new-disk
description: Records the name of a new disk resource that is assigned to a virtual machine.
type: string
- name: new-mem
description: Records the amount of a new memory resource that is assigned to a virtual machine.
type: string
- name: new-vcpu
description: Records the number of a new virtual CPU resource that is assigned to a virtual machine.
type: string
- name: new-net
description: Records the MAC address of a new network interface resource that is assigned to a virtual machine.
type: string
- name: new_gid
description: Records a group ID that is assigned to a user.
type: string
- name: new_lock
description: Records the new value of a lock being set on an audit feature.
type: string
- name: nsec
description: Records the number of nanoseconds by which the system clock was shifted.
type: string
- name: ocomm
description: Records the command that was used to start the target process.This field is exclusive to the record of type OBJ_PID.
type: string
- name: old_lock
description: Records the old value of a lock being set on an audit feature.
type: string
- name: oses
description: Records the session ID of the target process. This field is exclusive to the record of type OBJ_PID.
type: string
- name: obj
description: Records the SELinux context of an object. An object can be a file, a directory, a socket, or anything that is receiving the action of a subject.
type: string
- name: objtype
description: Records the intent of the PATH record object in the context of a syscall.
type: string
- name: obj_gid
description: Records the group ID of an object.
type: string
- name: obj_lev_high
description: Records the high SELinux level of an object.
type: string
- name: obj_lev_low
description: Records the low SELinux level of an object.
type: string
- name: obj_role
description: Records the SELinux role of an object.
type: string
- name: obj_type
description: Records the type of an object.
type: string
- name: obj_uid
description: Records the UID of an object
type: string
- name: obj_user
description: Records the user that is associated with an object.
type: string
- name: old-disk
description: Records the name of an old disk resource when a new disk resource is assigned to a virtual machine.
type: string
- name: old-mem
description: Records the amount of an old memory resource when a new amount of memory is assigned to a virtual machine.
type: string
- name: old-vcpu
description: Records the number of an old virtual CPU resource when a new virtual CPU is assigned to a virtual machine.
type: string
- name: old-net
description: Records the MAC address of an old network interface resource when a new network interface is assigned to a virtual machine.
type: string
- name: old_prom
description: Records the previous value of the network promiscuity flag.
type: string
- name: path
description: Records the full path of the file or directory that was passed to the system call as an argument in case of AVC-related Audit events
type: string
- name: perm
description: Records the file permission that was used to generate an event (that is, read, write, execute, or attribute change)
type: string
- name: ppid
description: Records the Parent Process ID (PID).
type: string
- name: proctitle
description: Records the full command-line of the command that was used to invoke the analyzed process. The field is encoded in hexadecimal notation to not allow the user to influence the Audit log parser. The text decodes to the command that triggered this Audit event. When searching Audit records with the ausearch command, use the -i or --interpret option to automatically convert hexadecimal values into their human-readable equivalents.
type: string
- name: prom
description: Records the network promiscuity flag.
type: string
- name: proto
description: Records the networking protocol that was used. This field is specific to Audit events generated by iptables.
type: string
- name: res
description: Records the result of the operation that triggered the Audit event.
type: string
- name: resp
description: Records the response from an fanotify access control decision.
type: string
- name: result
description: Records the result of the operation that triggered the Audit event.
type: string
- name: saddr
description: Records the socket address.
type: string
- name: sec
description: Records the number of seconds by which the system clock was shifted.
type: string
- name: ses
description: Records the session ID of the session from which the analyzed process was invoked.
type: string
- name: sig
description: Records the number of a signal that causes a program to end abnormally. Usually, this is a sign of a system intrusion.
type: string
- name: subj
description: Records the SELinux context of a subject. A subject can be a process, a user, or anything that is acting upon an object.
type: string
- name: subj_clr
description: Records the SELinux clearance of a subject.
type: string
- name: subj_role
description: Records the SELinux role of a subject.
type: string
- name: subj_sen
description: Records the SELinux sensitivity of a subject.
type: string
- name: subj_type
description: Records the type of a subject.
type: string
- name: subj_user
description: Records the user that is associated with a subject.
type: string
- name: success
description: Records whether a system call was successful or failed.
type: string
- name: syscall
description: Records the type of the system call that was sent to the kernel.
type: string
- name: terminal
description: Records the terminal name (without /dev/).
type: string
- name: tty
description: Records the name of the controlling terminal. The value (none) is used if the process has no controlling terminal.
type: string
- name: vm
description: Records the name of a virtual machine from which the Audit event originated.
type: string
- name: xattr
description: Records the set of extended attributes modified and protected by EVM.
type: string
- name: pid
description: The pid field semantics depend on the origin of the value in this field. In fields generated from user-space, this field holds a process ID. In fields generated by the kernel, this field holds a thread ID. The thread ID is equal to process ID for single-threaded processes. Note that the value of this thread ID is different from the values of pthread_t IDs used in user-space. For more information, see the gettid(2) man page.
type: string
- name: sauid
description: Records the sender Audit login user ID. This ID is provided by D-Bus as the kernel is unable to see which user is sending the original auid.
type: string
- name: sgid
description: Records the set group ID of the user who started the analyzed process.
type: string
- name: oauid
description: Records the user ID of the user that has logged in to access the system (as opposed to, for example, using su) and has started the target process. This field is exclusive to the record of type OBJ_PID.
type: string
- name: opid
description: Records the process ID of the target process. This field is exclusive to the record of type OBJ_PID.
type: string
- name: ouid
description: Records the real user ID of the target process
type: string
- name: ogid
description: Records the object owner's group ID.
type: string
- name: uid
description: Records the real user ID of the user who started the analyzed process.
type: string
indicators:
- actor_id
- name: suid
description: Records the set user ID of the user who started the analyzed process.
type: string
- name: egid
description: Records the effective group ID of the user who started the analyzed process.
type: string
- name: auid
description: Records the Audit user ID. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su -john).
type: string
- name: euid
description: Records the effective user ID of the user who started the analyzed process.
type: string
- name: gid
description: Records the group ID.
type: string
- name: extra_message_fields
description: Panther defined field. A msg field in an auditd log can contain arbitrary key value pairs that we structure into a map
type: json
- name: timestamp
required: true
description: When the audit event occurred
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: eventId
description: Id of the audit event. Note that multiple records can share the same time stamp and ID if they were generated as part of the same Audit event
type: string
Last updated