Aushape is a tool and a library for converting Linux audit log messages to JSON and XML, allowing both single-shot and streaming conversion.
Aushape output schemas are still in flux, but the main idea is to aggregate input records belonging to the same event into single output event object/element, while keeping the naming and the structure as close to the original audit log as possible:
A truncated JSON example (optional source text included):
[
{
"serial" : 123,
"time" : "2016-01-03T02:37:51.394+02:00",
"host" : "auditdtest.a1959.org",
"text" : [
"node=auditdtest.a1959.org type=SYSCALL ...",
"node=auditdtest.a1959.org type=PROCTITLE ...",
...
],
"data" : {
"syscall" : {
"syscall" : ["rt_sigaction","13"],
"success" : ["yes"],
"exit" : ["0"],
...
},
"proctitle" : {
"proctitle" : ["bash","\"bash\""]
},
...
}
},
...
]
A truncated XML example (optional source text included):
<?xml version="1.0" encoding="UTF-8"?>
<log>
<event serial="194433" time="2016-01-03T02:37:51.394+02:00" host="auditdtest.a1959.org">
<text>
<line>node=auditdtest.a1959.org type=SYSCALL ...</line>
<line>node=auditdtest.a1959.org type=PROCTITLE ...</line>
...
</text>
<data>
<syscall>
<syscall i="rt_sigaction" r="13"/>
<success i="yes"/>
<exit i="0"/>
...
</syscall>
<proctitle>
<proctitle i="bash" r=""bash""/>
</proctitle>
...
</data>
</event>
...
</log>
Aushape can be used on the command line for a single-shot conversion of a log file:
aushape -ljson audit.log > audit.json
aushape -lxml audit.log > audit.xml
or as an audispd plugin, converting audit log messages on the fly and logging them via syslog(3):
aushape -l json --events-per-doc=none --fold=all -o syslog
See more in README.md.
We develop aushape as part of a user session recording project. However, it is designed to be useful in general, developed in cooperation with auditd developers, and is intended to be a part of its future releases.