Re: Correlating audit log events

mrcusanelli · ‎07-12-2018

I'm having trouble remembering how to correlate two separate events into one event for RHEL audit log events.

Im trying to capture 1309 events (file deletions) and the related 1307 event (directory of the file deletion). These events are logged at the same time, so im trying to use the transaction command with a maxspan of 1 second. But im only getting the same event types with in that time maxspan time not the related event. i.e two 1307s in that span.

I haven't done this is so long i cant wrap my head around how to do it anymore.

index=os host='hostname' type=1307 OR type=1309 | transaction maxspan=1s

Event examples im trying to correlate

2018-07-12T10:08:44.042301-04:00 'hostname' : type=1307 audit(1531417269.239:49430042): cwd="/apps/SAS/v9.4/config/Lev1/SASDataManagementDataServer/data"

2018-07-12T10:08:44.042301-04:00 'hostname' kernel: [1477027.861370] type=1309 audit(1531404524.033:48993388): argc=3 a0="rm" a1="-i" a2="gary.log"

any help would greatly be appreciated.

woodcock · ‎07-15-2018

Like this:

index=os host='hostname' type=1307 OR type=1309
| stats values(type) by _time

renjith_nair · ‎07-12-2018

Hi @mrcusanelli ,

Have you tried using startswith "type=1307" and endswith type=1309 in the transaction?

https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Transaction#Optional_arguments

---
What goes around comes around. If it helps, hit it with Karma 🙂

mrcusanelli · ‎07-13-2018

I'll give that a try

Correlating audit log events

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases