Thanks for the interest... Im attempting to develop regex processors within Datadog, specific to auditd log entries.
For the most part, the regex that I have captures the relevant fields that I am interested in. Unfortunately, I am completely unable to dig out the individual entries that are all nested within the msg (message) field.
I have been using the regex101 online parser to assist, and it has found a few discrepancies... but nothing that seems to resolve the issue.
My current, semi-functional regex is as follows:
%{data::keyvalue("=","():\\[\\]")}
and I am attempting to parse logs such as the following:
type=USER_AUTH msg=audit([1701209971.638-1701443789.023]:[645-2018]): pid=[3621-28756] uid=0 auid=4294967295 ses=4294967295 subj=*** msg='op=PAM:authentication grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=? addr=? terminal=/dev/pts/* res=success' UID="root" AUID="unset"
Which gives me:
... sorry for the image, I couldnt maintain the formatting otherwise.
As you can see, everything from the audit timestamp down to the result (res=success) are all captured within the "msg: [ ... ]" block and as such, I cannot pull them out for filters and alerting within Datadog.
Would someone be kind enough to take a look at what I have done so far and possibly illustrate where I am going wrong? My regex skills are minimal and apparently not up to the task.
I would like to separate all of the individual entries from the message field into separate fields of their own (timestamp, operation, grantor, account, executable path, hostname, address, terminal, result), similar to what has been accomplished with session, UID, pid, et. al.
I appreciate all of your interest in advance, thank you very much.
~tc