Skip to content

Linux Audit Logs

Overview

This article explains how to ingest your on-prem Linux Audit Logs to Hunters. These logs hold alerts from the Linux Auditing system logs, used to monitor system calls, file accesses and more. These files should be located in the /var/log/audit/ folder on your Linux machines.


Hunters' Ingestion

For Hunters to integrate with your on-prem Linux Audit Logs, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Expected Logs Format

In each log file, the events should be separated by a new-line, where each event is in its raw format, and not in a json format.

Linux Audit Log First Example:

type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config"

Linux Audit Log Second Example:

type=USER_AUTH msg=audit(1364475353.159:24270): user pid=3280 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=failed'