Hello, On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote: Thanks for posting this. Its good to see utilities like this supporting the audit daemon. If anyone else has plugins to logging frameworks, reports, helpful scripts, etc...feel free to post a notice about them. We are sort of working on a new home for the audit system at github and can probably dedicate a page to related and helpful projects. -Steve

Hi Farhan, Good question. There’s no source of truth (that I know of) for the severity of auditd event types so I created a lookup based upon my experience. Here it is: https://github.com/doksu/splunk_auditd/blob/master/linux-auditd/appserver... Naturally you can change it to suit your environment but any suggestions for improvement are much appreciated. :) The app has three identities lookups it merges together: local, directory and learnt. The first two you’re meant to populate (see here for more details: https://github.com/doksu/splunk_auditd/wiki/Installation-and-Configuratio...), but technically you don’t have to bother because version 2 automatically learns posix identities being used in your environment by periodically updating the ‘learnt’ lookup based upon USER_START events. Cheers, Doug From: F Rafi <farhanible@gmail.com<mailto:farhanible@gmail.com>> Date: Thursday, 31 March 2016 at 3:01 PM To: Doksu <doug.brown@qut.edu.au<mailto:doug.brown@qut.edu.au>> Cc: "linux-audit@redhat.com<mailto:linux-audit@redhat.com>" <linux-audit@redhat.com<mailto:linux-audit@redhat.com>>, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>> Subject: Re: Linux Auditd app for Splunk "I've turned SELinux off ... and as per Dan Walsh that's a bad thing." Love it. Some questions. 1. For the Severe Events panel: Where is the severity coming from? The auditd logs don't show a severity rating. 2. AUID to username mapping: How are you doing this? Via tty logs or fetching passwd file contents somehow? Thanks, Farhan On Wed, Mar 30, 2016 at 8:46 PM, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>> wrote: Hello, On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote: Thanks for posting this. Its good to see utilities like this supporting the audit daemon. If anyone else has plugins to logging frameworks, reports, helpful scripts, etc...feel free to post a notice about them. We are sort of working on a new home for the audit system at github and can probably dedicate a page to related and helpful projects. -Steve -- Linux-audit mailing list Linux-audit@redhat.com<mailto:Linux-audit@redhat.com> https://www.redhat.com/mailman/listinfo/linux-audit