custom log format

The audit logger supports custom log formatting. The field names are fixed, but other than that, you can go crazy with your own format.
Available fields:

• timestamp
• username
• group
• uid
• guid
• auid
• euid
• egid
• pid
• ppid
• tty
• command
• exec_path
• script
• cwd
• env
• args

good to know

args is always mapped to a ["string", | ["string"] ] format, where the first element is always the command itself.

e.g. in case of ls -la, ${command} will be /bin/ls, while ${args} will be ["ls", "-G", "-la"] (ls is aliased to ls -G)

Example configuration #1

auditLogger:
  customLogFormat: "[${timestamp}]: (${username}, ${group}) |example text| ${command} % ${args}"
# Rest of the configuration file is omitted

Example command:

ls -la

would result in the following log line:

[2023-10-03T20:03:03.696Z]: (administrator, staff) |example text| /bin/ls % ["ls", "-G", "-la"]

---

Example configuration #2

auditLogger:
  customLogFormat: "/${timestamp}/: ${command} executed with (${args}) arguments"
# Rest of the configuration file is omitted

Example command:

brew --version

would result in the following log line:

/2023-10-03T20:03:03.696Z/: /bin/bash executed with (["/bin/bash", "/usr/local/bin/brew", "--version"]) arguments

---

Example configuration #3

auditLogger:
  customLogFormat: "${username} run ${command}"
# Rest of the configuration file is omitted

Example command:

date +%s

would result in the following log line:

administrator run /bin/date