Audit log converter

Download as .zip Download as .tar.gz View on GitHub

Aushape is a tool and a library for converting Linux audit log messages to JSON and XML, allowing both single-shot and streaming conversion.

Aushape output schemas are still in flux, but the main idea is to aggregate input records belonging to the same event into single output event object/element, while keeping the naming and the structure as close to the original audit log as possible:

A truncated JSON example (optional source text included):

        "serial"    : 123,
        "time"      : "2016-01-03T02:37:51.394+02:00",
        "host"      : "",
        "text"   : [
            " type=SYSCALL ...",
            " type=PROCTITLE ...",
        "data"   : {
            "syscall"   : {
                "syscall"   : ["rt_sigaction","13"],
                "success"   : ["yes"],
                "exit"      : ["0"],
            "proctitle" : {
                "proctitle" : ["bash","\"bash\""]

A truncated XML example (optional source text included):

<?xml version="1.0" encoding="UTF-8"?>
    <event serial="194433" time="2016-01-03T02:37:51.394+02:00" host="">
            <line> type=SYSCALL ...</line>
            <line> type=PROCTITLE ...</line>
                <syscall i="rt_sigaction" r="13"/>
                <success i="yes"/>
                <exit i="0"/>
                <proctitle i="bash" r="&quot;bash&quot;"/>

Aushape can be used on the command line for a single-shot conversion of a log file:

aushape -ljson audit.log > audit.json
aushape -lxml audit.log > audit.xml

or as an audispd plugin, converting audit log messages on the fly and logging them via syslog(3):

aushape -l json --events-per-doc=none --fold=all -o syslog

See more in

We develop aushape as part of a user session recording project. However, it is designed to be useful in general, developed in cooperation with auditd developers, and is intended to be a part of its future releases.