custom
log format
The audit logger supports custom log formatting. The field names are fixed, but other than that, you can go crazy with your own format.
Available fields:
timestamp
username
group
uid
guid
auid
euid
egid
pid
ppid
tty
command
exec_path
script
cwd
env
args
good to know
args
is always mapped to a ["string", | ["string"] ]
format, where the first element is always the command itself.
e.g. in case of ls -la
, ${command}
will be /bin/ls
, while ${args}
will be ["ls", "-G", "-la"]
(ls
is aliased to ls -G
)
Example configuration #1
yaml
auditLogger:
customLogFormat: "[${timestamp}]: (${username}, ${group}) |example text| ${command} % ${args}"
# Rest of the configuration file is omitted
Example command:
bash
ls -la
would result in the following log line:
[2023-10-03T20:03:03.696Z]: (administrator, staff) |example text| /bin/ls % ["ls", "-G", "-la"]
Example configuration #2
yaml
auditLogger:
customLogFormat: "/${timestamp}/: ${command} executed with (${args}) arguments"
# Rest of the configuration file is omitted
Example command:
bash
brew --version
would result in the following log line:
/2023-10-03T20:03:03.696Z/: /bin/bash executed with (["/bin/bash", "/usr/local/bin/brew", "--version"]) arguments
Example configuration #3
yaml
auditLogger:
customLogFormat: "${username} run ${command}"
# Rest of the configuration file is omitted
Example command:
bash
date +%s
would result in the following log line:
administrator run /bin/date