NAME
laurel(8) – transform, enrich Linux audit logs
SYNOPSIS
laurel is an auditd(8) plug-in that parses Linux audit events,
enriches them with local information, and transforms them into a
JSONlines-based output format intended for consumption by log
processing and SIEM software.
OPTIONS
- -c FILE, --config=FILE
- path to configuration file (default: unset)
- -d, --dry-run
- Only parse configuration and exit
- -h, --help
- Print short help text and exit
- -v, --version
- Print version and exit
DESCRIPTION
laurel is typically configured to be spawned by auditd(8) itself or by
audispd(8) (for 2.x auditd versions). All audit events are fed to
laurel via its standard input channel.
Sample configuration file /etc/audit/plugins.d/laurel.conf:
active = yes
direction = out
type = always
format = string
path = /usr/sbin/laurel
args = --config /etc/laurel/config.toml
An alternative setup consists of an AF_UNIX socket to which
auditd(8) writes events. A connection is then established by
laurel (see input setting below). In this case, the operator is
responsible for starting and restarting laurel.
Example configuration file:
active = yes
direction = out
path = builtin_af_unix
type = builtin
args = 0600 /var/run/laurel.sock
format = string
CONFIGURATION
Configuration of laurel itself is done through a single
configuration file in TOML format.
main section
This section contains basic operation parameters.
user:laurelis started asrootbyauditd, but it drops to a dedicated user as soon as possible. Default: unsetdirectory: The base directory into which all files are written. Default:.(current directory)statusreport-period: How often stats are written to Syslog, in seconds. Default: unsetinput:laurelcan consume audit events from standard input or connect to a listening socket specified asunix:/path/to/socketat start. Defaulkt:stdinmarker: A string that is written to the log on startup and wheneverlaurelwrites a status report. Default: none
[auditlog] section
This section describes the main audit log file. laurel performs its
own log file rotation, just like auditd(8).
file: Filename for the audit log file. Default:audit.logsize: Size in bytes after which the log file is rotated. Default: 10MiBgenerations: Number of generations to keep after rotation. Default: 5read-users: List of users that are granted read access to the log file using POSIX ACLs. Default: emptyline-prefix: A string that is prepended to every line. Default: unset
[filterlog] section
This section describes the log file for filtered-out log events (see
below). The file, size, generations, read-users, line-prefix
configuration items work just like for the audit log.
[transform] section
execve-argv: The list ofEXECVE.a*fields are transformed to anARGVlist orARGV_STRstring. Set toarray,string(or both). Default:arrayexecve-argv-limit-bytes: Arguments are cut out of the middle long argument lists inEXECVE.ARGVorEXECVE.ARGV_STRso that this limit is not exceeded. Default: unset
[translate] section
Options that can be configured here correspond to what auditd(8)
does when configured with log_format=ENRICHED.
userdb: Add translations foruidandgidfields. Default: falseuniversal: Add translations for everything else:SYSCALL.arch,SYSCALL.syscall,SOCKADDR.saddrdrop-raw: Drop raw (numeric) syscall, arch, UID, GID values if they are translated. Default: false
[enrich] section
Options that can be configured here actually add information to events
execve-env: A list of environment variables to dump forexecevents. Default:["LD_PRELOAD", "LD_LIBRARY_PATH"]container: Add container information for processes running within container runtimes. Default: truepid: Add context information for process IDs. Default: truescript: If anexecsyscall spawns a script (as opposed to a binary), add aSCRIPTentry to theSYSCALLrecord. A script is assumed if the firstPATHentry does not correspond to file mentioned inSYSCALL.exe. Default: trueuser-groups: Add groups that the user (“uid”) is a member of. Default: true
[label-process] section
Labels can be attached to processes and are added to any event associated with those processes. These labels can be propagated from parent to child processes.
label-exe.<regexp> = <label-name>: Regular expressions/label mappings applied to binary executables (SYSCALL.exe) onexeccalls. Default: nonelabel-script.<regexp> = <label-name>: Regular expressions/label mappings applied to scripts (SYSCALL.SCRIPT, seeenrich.scriptdescription above) onexeccalls. Default: nonelabel-keys: A list of keys that are applied as a process label, seeauditctl(8)’s-koption. Default: noneunlabel-exe.<regexp> = <label-name>: Likelabel-exe, but for removing labelsunlabel-script.<regexp> = <label-name>: Likelabel-script, but for removing labelspropagate-labels: List of labels that are propagated to child processes. Default: empty
[filter] section
Filters make laurel drop entire events from the log file while still
using them for internal processing such as process tracking.
filter-keys: A list of strings that are matched againstSYSCALL.keyto drop the event. Default: emptyfilter-null-keys: Filter events without specified key. Default: falsefilter-labels: A list of strings that are matched against process labels. Default: emptyfilter-raw-lines: A list of regular expression that are matched against individual input lines as written byauditd(8). Events that contain such lines are then filtered. Default: emptyfilter-action: What to do with filtered events?droporlogto the filterlog defined above.keep-first-per-process: Keep the first event observed for any given process even if it would be filtered otherwise. This should only be turned off if reproducible process tracking or process tree reconstruction is not required. Default: true
SIGNALS
SIGHUP causes laurel to process any buffered input and restart. It
can be used to reconfigure laurel without having restarting
auditd(8) which would likely lead to lost audit messages.
AUTHORS
- Hilko Bengen «bengen@hilluzination.de»
- Sergej Schmidt «sergej@msgpeek.net»