Ok, so I’m now trying to set up a rule to grab all auditd messages and extract all key-value fields (I think is the term) prefix them with “auditd_”.
So maybe I’m a bit slow, but even after having read through the documentation: Rules - Processing Pipelines I cannot see exactly how to get this simple part working and processing my audit log messages:
(the rule is mapped to the debian audit log stream via pipeline)
rule “auditd_identify_and_tag”
when
has_field(“what do I put here”)
then
So for “has_field” I’ve tried id “id-auditlog” as used in my auditd filebeat collector config as well as filebeat fields “audit_log: true” - also used in filebeat collector config. None of these work, however, so at this point it’s not really clear to me how to make the rule work…
On the stream which I’ve connected the pipeline to, I have only audit logs coming in, so I guess another option would be to do a sort of catch all rule, if that is possible?
EDIT:
I realised that all the debian audit log messages seem to have the string “type=” at the start of each log line, so I’ve tried to use that value for has_field, but to no avail