Linux Audit to BSM conversion
audit-userspace
Hints
Some fields have their type defined in auparse/typetab.h.
Understanding a field step by step
- Choose your field.
Find it in the field dictionary to get any idea what it is.
Find out if it is listed in auparse/typetab.h to learn its type.
You can also run grep -RI -C 2 *tab.h in auparse; your field might be listed in one of those files.
Structure
- A Linux Audit log file is made of events.
- An event is made of records which share the same timestamp and id.
- A record has a type, a timestamp, an id and an arbitrary number of fields.
- A field has a name and a value. It looks like this: name=value.
Resources
General
Some more definitions and information about the Linux Audit standard.
A file with Linux Audit event parsing library specifications.
Log files
Structure
Linux Audit event field
Linux Audit event record