oracular (8) laurel2audit.8.gz

Provided by: laurel_0.6.2-2build1_amd64 bug

NAME

       laurel2audit(8) – transform Laurel logs to back to original Linux Audit format

SYNOPSIS

       This  is a simple filter that reads logs written by laurel(8) and outputs Linux Audit logs
       that the audit tools and laurel itself should be able to digest.

NOTES

       “Enriched” (i.e. ALL_CAPS) keys in audit records are discarded.

       EXECVE records are output on one, possibly very long, line.

       If laurel has transformed  EXECVE  argument  lists  to  single  strings  (ARGV_STR),  that
       transformation  may  have  been lossy: There is no way to discern space characters as gaps
       between arguments from space characters as part of individual arguments.

       An end-of-event (EOE) marker is output for every event.  This marker is not  part  of  the
       original  audit.log  file,  but  it  has  originally been transmitted by the kernel and is
       passed by auditd(8) to plugins.

BUGS

       • URL-encoded single bytes within strings are not yet handled.

       • Possibly more.

SEE ALSO

       laurel(8), aulast(8), aulastlog(8), aureport(8), ausearch(8), ausyscall(8), auvirt(8)

AUTHORS

       • Hilko Bengen <<bengen@hilluzination.de>>