By default, the PROCTITLE
field contains the command used to start a process, encoded in HEX. Learn how to decode it using a Ruby script within Logstash.
Problem Overview
When processing auditd events, the PROCTITLE
field is encoded in HEX format. This makes it unreadable in its raw form. To make this information human-readable, we can use a Ruby script as part of the Logstash pipeline configuration.
Solution: Using Ruby Code in Logstash
PROCTITLE
field, you can add a Ruby filter to your Logstash pipeline configuration. Here’s the recommended insertion:ruby {
code => "event.set('commandline', event.get('commandline').split.pack('H*'))"
}
How It Works
- Retrieve the Encoded Data – the
event.get('commandline')
method retrieves the HEX-encodedPROCTITLE
field from the event. - Decode the HEX: the
.split.pack('H*')
method decodes the HEX string into its ASCII equivalent..split
processes the HEX string into an array of characters..pack('H*')
converts the HEX data into a readable string format.
- Set the Decoded Value: the
event.set
method updates the event with the decodedcommandline
field, making it available for further processing or output.
Additional Notes
- Performance Consideration: Ruby filters can impact Logstash performance in high-throughput environments. Test thoroughly before deploying to production.
- Field Naming: ensure the
commandline
field matches the actual field name in your event schema. Update the Ruby code if necessary.
PROCTITLE
fields, making auditd event data more accessible and actionable.The post Decoding the PROCTITLE Field in Auditd Event Streams with Logstash appeared first on SOC Prime.