By default, the PROCTITLE field contains the command used to start a process, encoded in HEX. Learn how to decode it using a Ruby script within Logstash.
Problem Overview
When processing auditd events, the PROCTITLE field is encoded in HEX format. This makes it unreadable in its raw form. To make this information human-readable, we can use a Ruby script as part of the Logstash pipeline configuration.
Solution: Using Ruby Code in Logstash
To decode the
PROCTITLE field, you can add a Ruby filter to your Logstash pipeline configuration. Here’s the recommended insertion:ruby {
code => "event.set('commandline', event.get('commandline').split.pack('H*'))"
}How It Works
- Retrieve the Encoded Data – the
event.get('commandline')method retrieves the HEX-encodedPROCTITLEfield from the event. - Decode the HEX: the
.split.pack('H*')method decodes the HEX string into its ASCII equivalent..splitprocesses the HEX string into an array of characters..pack('H*')converts the HEX data into a readable string format.
- Set the Decoded Value: the
event.setmethod updates the event with the decodedcommandlinefield, making it available for further processing or output.
Additional Notes
- Performance Consideration: Ruby filters can impact Logstash performance in high-throughput environments. Test thoroughly before deploying to production.
- Field Naming: ensure the
commandlinefield matches the actual field name in your event schema. Update the Ruby code if necessary.
By following this guide, you can efficiently decode HEX-encoded
PROCTITLE fields, making auditd event data more accessible and actionable.The post Decoding the PROCTITLE Field in Auditd Event Streams with Logstash appeared first on SOC Prime.
