Auditd hex2ascii conversion plugin

dscryber · February 17, 2022, 7:03pm

Auditd hex2ascii conversion plugin

Plugin Initial release

Graylog plugin for converting hex-encoded string used in auditd logs into human readable format

@winnie22

graylog-plugin-auditd-hex2ascii

Graylog plugin for converting hex-encoded string used in auditd logs into human readable format

Installation

Download the plugin and place the .jar file in your Graylog plugin directory. The plugin directory is the plugins/ folder relative from your graylog-server directory by default and can be configured in your graylog.conf file.

Restart graylog-server and you are done.

Usage

Parse auditd logs ie. as described here. Create rule that convert hex-encoded string from cmd or proctitle field into human readable format.

rule "proctitle2ascii_auditd"
when
 has_field("auditd_proctitle")
then
 set_field("auditd_proctitle_ascii", hex2ascii(to_string($message.auditd_proctitle)));
end

Will result into fields:

auditd_proctitle: 636174002F6574632F7373682F737368645F636F6E666967
auditd_proctitle_ascii: cat /etc/ssh/sshd_config

Topic		Replies	Views
Convert hex string in syslog to ascii in Graylog Graylog Central (peer support)	2	1434	October 26, 2017
Convert hex string to ascii, now possible Graylog Central (peer support)	2	753	September 6, 2021
Noob ISO Pipeline Help Graylog Central (peer support) pipeline-rules	7	553	August 6, 2020
JSON Extractor and Field Converter Graylog Central (peer support)	2	1175	June 4, 2019
Graylog support for auditd in syslogs Graylog Central (peer support) pipeline-rules , route-to-streampl	11	6210	July 13, 2018

Auditd hex2ascii conversion plugin

Auditd hex2ascii conversion plugin

Plugin Initial release

graylog-plugin-auditd-hex2ascii

Installation

Usage

Related topics