Skip to content

custom log format

The audit logger supports custom log formatting. The field names are fixed, but other than that, you can go crazy with your own format.
Available fields:

  • timestamp
  • username
  • group
  • uid
  • guid
  • auid
  • euid
  • egid
  • pid
  • ppid
  • tty
  • command
  • exec_path
  • script
  • cwd
  • env
  • args

good to know

args is always mapped to a ["string", | ["string"] ] format, where the first element is always the command itself.

e.g. in case of ls -la, ${command} will be /bin/ls, while ${args} will be ["ls", "-G", "-la"] (ls is aliased to ls -G)

Example configuration #1

yaml
auditLogger:
  customLogFormat: "[${timestamp}]: (${username}, ${group}) |example text| ${command} % ${args}"
# Rest of the configuration file is omitted

Example command:

bash
ls -la

would result in the following log line:

[2023-10-03T20:03:03.696Z]: (administrator, staff) |example text| /bin/ls % ["ls", "-G", "-la"]

Example configuration #2

yaml
auditLogger:
  customLogFormat: "/${timestamp}/: ${command} executed with (${args}) arguments"
# Rest of the configuration file is omitted

Example command:

bash
brew --version

would result in the following log line:

/2023-10-03T20:03:03.696Z/: /bin/bash executed with (["/bin/bash", "/usr/local/bin/brew", "--version"]) arguments

Example configuration #3

yaml
auditLogger:
  customLogFormat: "${username} run ${command}"
# Rest of the configuration file is omitted

Example command:

bash
date +%s

would result in the following log line:

administrator run /bin/date