Are there any resources to support auditd logging within graylog with Centos hosts to parse out the fields correctly.
I have tried enabling auditd logging via syslog to a udp syslog input as shown below but the fields vary and are not parsed corecttly.
Would anothe roption be to use something like NXLog imfile module to read the file and then send it to a GELF input. Would this work as the json should contain the fields.
Alternatively, would it be better to use a GROK filter or pipleine rules to parse out the fields.