## ## SPDX-FileCopyrightText: 2021 Splunk, Inc. ## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 ## ## [http_one_item_field] # $1 = value[0], $2 = dsnames[0], $3 = type, $4 = type_instance REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\}) FORMAT = $3_$4_$2::$1 WRITE_META = true [http_one_item_field_no_type_instance] # $1 = value[0], $2 = dsnames[0], $3 = type REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\}) FORMAT = $3_$2::$1 WRITE_META = true [http_two_item_fields] # $1 = value[0], $2 = value[1], $3 = dsnames[0], $4 = dsnames[1], $5 = type, # $6 = type_instance REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\}) FORMAT = $5_$6_$3::$1 $5_$6_$4::$2 WRITE_META = true [http_two_item_fields_no_type_instance] # $1 = value[0], $2 = value[1], $3 = dsnames[0], $4 = dsnames[1], $5 = type REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\}) FORMAT = $5_$3::$1 $5_$4::$2 WRITE_META = true [http_three_item_fields] # $1 = value[0], $2 = value[1], $3 = value[2], $4 = dsnames[0], $5 = dsnames[1], # $6 = dsnames[2], $7 = type, $8 = type_instance REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\}) FORMAT = $7_$8_$4::$1 $7_$8_$5::$2 $7_$8_$6::$3 WRITE_META = true [http_three_item_fields_no_type_instance] # $1 = value[0], $2 = value[1], $3 = value[2], $4 = dsnames[0], $5 = dsnames[1], # $6 = dsnames[2], $7 = type REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\}) FORMAT = $7_$4::$1 $7_$5::$2 $7_$6::$3 WRITE_META = true # uncomment below stanza if you are collecting data using syslog server with sourcetype syslog #[linux_syslog_audit] #DEST_KEY = MetaData:Sourcetype #REGEX = type=\S+\s+msg=audit #FORMAT = sourcetype::linux:audit [event_id] REGEX = msg=audit\(([^:]+):(.+)\): FORMAT = time_stamp::$1 event_id::$2 [op] REGEX = op=([^=]+)\s+\S+= FORMAT = op::$1 [subject] REGEX = subj=([^:]+):([^:]+):([^:]+):(\S+) FORMAT = subj_context_user::$1 subj_context_role::$2 subj_context_domain::$3 subj_context_sensitivity::$4 [object] REGEX = obj=([^:]+):([^:]+):([^:]+):(\S+) FORMAT = obj_context_user::$1 obj_context_role::$2 obj_context_type::$3 obj_context_sensitivity::$4 [res] REGEX = res=(1|0|success|failed) FORMAT = res::$1