Decoding the PROCTITLE Field in Auditd Event Streams with Logstash

By default, the PROCTITLE field contains the command used to start a process, encoded in HEX. Learn how to decode it using a Ruby script within Logstash.

Problem Overview

When processing auditd events, the PROCTITLE field is encoded in HEX format. This makes it unreadable in its raw form. To make this information human-readable, we can use a Ruby script as part of the Logstash pipeline configuration.

Solution: Using Ruby Code in Logstash

To decode the PROCTITLE field, you can add a Ruby filter to your Logstash pipeline configuration. Here’s the recommended insertion:
ruby {
    code => "event.set('commandline', event.get('commandline').split.pack('H*'))"
}

How It Works

  1. Retrieve the Encoded Data – the event.get('commandline') method retrieves the HEX-encoded PROCTITLE field from the event.
  2. Decode the HEX: the .split.pack('H*') method decodes the HEX string into its ASCII equivalent.
    • .split processes the HEX string into an array of characters.
    • .pack('H*') converts the HEX data into a readable string format.
  3. Set the Decoded Value: the event.set method updates the event with the decoded commandline field, making it available for further processing or output.

Additional Notes

  • Performance Consideration: Ruby filters can impact Logstash performance in high-throughput environments. Test thoroughly before deploying to production.
  • Field Naming: ensure the commandline field matches the actual field name in your event schema. Update the Ruby code if necessary.
By following this guide, you can efficiently decode HEX-encoded PROCTITLE fields, making auditd event data more accessible and actionable.

The post Decoding the PROCTITLE Field in Auditd Event Streams with Logstash appeared first on SOC Prime.