Hello,

 

As I understand it, long values recorded by auditd are stored as hex encoded strings. However, when I attempt to decode arguments such as a0 or a1 in SYSCALL events, they are decoded into special characters instead of ASCII. Are these values encoded differently than PROCTITLE events?

 

Below is an example log line:

 

type=SYSCALL msg=audit(1574182099.559:2002): arch=c000003e syscall=59 success=yes exit=0 a0=55df330a3c10 a1=55df330a3c78 a2=55df330a3c90 a3=0 items=3 ppid=29664 pid=29678 auid=1171 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=170 comm="apt-check" exe="/usr/bin/python3.5" key="rootcmd"

 

In this example, I am looking to decode a0, a1, and a2. Yes, it seems that ausearch can decode these values. However, I am looking to decode them via Splunk. What format are these strings encoded in and is there a way to decode these values in any other way other than by using ausearch?