`auditd` log format

The auditd formatter tries to follow the specification of the linux counterpart. Due to platform differences, logga's auditd formatter is not 100% compatible with, but pretty usable by ausearch.

WARNING

auditd support is experimental. We will only allocate resources on improving the capability if we see customer validation.

bash

type=EXECVE msg=audit(1700003649:56): argc=3 a0=sh a1=-c a2=ioreg -c IOHIDSystem | awk '/HIDIdleTime/ {print $NF; exit}'
type=SYSCALL msg=audit(1700003649:56): arch=c000003e syscall=59 success=yes exit=0 a0=sh a1=-c a2=ioreg -c IOHIDSystem | awk '/HIDIdleTime/ {print $NF; exit}' items=1 ppid=571 pid=47410 auid=501 uid=501 gid=20 euid=501 egid=20 tty= ses=1 comm=sh exe=/bin/bash key="logga"
type=EXECVE msg=audit(1700003649:59): argc=3 a0=sh a1=-c a2=date +%s
type=SYSCALL msg=audit(1700003649:59): arch=c000003e syscall=59 success=yes exit=0 a0=sh a1=-c a2=date +%s items=1 ppid=571 pid=47413 auid=501 uid=501 gid=20 euid=501 egid=20 tty= ses=1 comm=sh exe=/bin/sh key="logga"
type=EXECVE msg=audit(1700003891:45): argc=3 a0=/bin/bash a1=/usr/local/bin/brew a2=--version
type=SYSCALL msg=audit(1700003891:45): arch=c000003e syscall=59 success=yes exit=0 a0=/bin/bash a1=/usr/local/bin/brew a2=--version items=1 ppid=99488 pid=48546 auid=501 uid=501 gid=20 euid=501 egid=20 tty=/dev/ttys002 ses=99487 comm=/bin/bash exe=/bin/bash key="logga"

auditd log format ​

`auditd` log format