How to filter to command run in local0 to 7
liberodark opened this issue · 0 comments
liberodark commented
Hi,
I want to filter for just see all commands running by users in local0 to 7
I think is here: ?
# If kaudit filtering isn't powerful enough you can use the following filter mechanism
filters:
# Each filter consists of exactly 3 parts
- syscall: 54 # The syscall id of the message group (a single log line from go-audit), to test against the regex
message_type: 1306 # The message type identifier containing the data to test against the regex
regex: saddr=(10..|0A..) # The regex to test against the message specific message types data
For example i want to filter on this :
{"sequence":1737967,"timestamp":"1687420435.434","messages":[{"type":1300,"data":"arch=c000003e syscall=59 success=yes exit=0 a0=5558db82cfb0 a1=5558db82bfe0 a2=5558db70ebc0 a3=8 items=2 ppid=75483 pid=1615780 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm=\"cat\" exe=\"/usr/bin/cat\" subj=unconfined key=(null)"},{"type":1309,"data":"argc=2 a0=\"cat\" a1=\"/var/log/pacman.log\""},{"type":1307,"data":"cwd=\"/root\""},{"type":1302,"data":"item=0 name=\"/usr/bin/cat\" inode=17698222 dev=00:18 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0"},{"type":1302,"data":"item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=18143793 dev=00:18 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0"},{"type":1327,"data":"proctitle=636174002F7661722F6C6F672F7061636D616E2E6C6F67"}],"uid_map":{"0":"root","1000":"pc"}}
Also have limited to events to 1327
Best Regards