I have written a parser to parse audit events through the dispatcher plugin. For CentOS 8 or RHEL 8, my parser fails to parse the audit events as the events are coming in different formats. It has some extra parameters appended at the end of the events.
Asked
Active
Viewed 297 times
1 Answers
0
Found the issue, the issue was with the audit.conf entry, for centos8 or rhel8 there is a new config introduced log_format = ENRICHED. Make ENRICHED to RAW would give the events as before, or update the parser if required for using ENRICHED.
man page of audit.conf says -
The ENRICHED option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk. This aids in making sense of events created on one system but reported/analyzed on another system.
Praveen Patel
- 429
- 4
- 11