Source: socprime.com – Author: Oleksandr L
[post-views]
December 09, 2024 · 2 min read
By default, the PROCTITLE field contains the command used to start a process, encoded in HEX. Learn how to decode it using a Ruby script within Logstash.
Problem Overview
When processing auditd events, the PROCTITLE field is encoded in HEX format. This makes it unreadable in its raw form. To make this information human-readable, we can use a Ruby script as part of the Logstash pipeline configuration.
Solution: Using Ruby Code in Logstash
To decode the PROCTITLE field, you can add a Ruby filter to your Logstash pipeline configuration. Here’s the recommended insertion:
ruby { code => "event.set('commandline', event.get('commandline').split.pack('H*'))" }How It Works
- Retrieve the Encoded Data – the
event.get('commandline')method retrieves the HEX-encodedPROCTITLEfield from the event. - Decode the HEX: the
.split.pack('H*')method decodes the HEX string into its ASCII equivalent..splitprocesses the HEX string into an array of characters..pack('H*')converts the HEX data into a readable string format.
- Set the Decoded Value: the
event.setmethod updates the event with the decodedcommandlinefield, making it available for further processing or output.
Additional Notes
- Performance Consideration: Ruby filters can impact Logstash performance in high-throughput environments. Test thoroughly before deploying to production.
- Field Naming: ensure the
commandlinefield matches the actual field name in your event schema. Update the Ruby code if necessary.
By following this guide, you can efficiently decode HEX-encoded PROCTITLE fields, making auditd event data more accessible and actionable.
Was this article helpful?
Like and share it with your peers.
Related Posts
Original Post URL: https://socprime.com/blog/decoding-the-proctitle-field-in-auditd-event-streams-with-logstash/
Category & Tags: Blog,Knowledge Bits,ELKStack,Logstash – Blog,Knowledge Bits,ELKStack,Logstash
Views: 2
