Collect Linux Audit Daemon logs
Supported in:
This document explains how to ingest Linux Audit Daemon (auditd) logs to Google Security Operations using Bindplane.
The Linux Audit Daemon is the userspace component of the Linux auditing system. It records security-relevant events on the system, including file access, system calls, authentication events, and SELinux denials. Auditd logs are essential for compliance monitoring, intrusion detection, and forensic analysis on Linux hosts.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance.
- Windows Server 2016 or later, or Linux host with
systemd. - If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
- Root or sudo access on the Linux host running auditd.
- The
auditdpackage installed and running on the source Linux host. - The
audispd-pluginspackage installed on the source Linux host (provides theaudisp-syslogplugin).
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open Command Prompt or PowerShell as an administrator.
Run the following command:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
Linux installation
- Open a terminal with root or sudo privileges.
Run the following command:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
Additional installation resources
For additional installation options, see Bindplane agent installation guide.
Configure the Bindplane agent to ingest syslog and send to Google SecOps
Access the configuration file:
- Linux:
/status observiq-otel-collector/config.yaml - Windows:
C:\Program Files\observIQ OpenTelemetry Collector\config.yaml
- Linux:
Edit the
config.yamlfile as follows:receivers: udplog: # Replace the port and IP address as required listen_address: "0.0.0.0:514" exporters: chronicle/chronicle_w_labels: compression: gzip # Adjust the path to the credentials file you downloaded in Step 1 creds_file_path: '/path/to/ingestion-authentication-file.json' # Replace with your actual customer ID from Step 2 customer_id: '<your_customer_id>' endpoint: malachiteingestion-pa.googleapis.com # Add optional ingestion labels for better organization log_type: 'AUDITD' raw_log_field: body ingestion_labels: service: pipelines: logs/source0__chronicle_w_labels-0: receivers: - udplog exporters: - chronicle/chronicle_w_labels
- Replace the port and IP address as required in your infrastructure.
- Replace
<your_customer_id>with the actual Customer ID. - Update
/path/to/ingestion-authentication-file.jsonto the file path where the authentication file was saved in the Get ingestion authentication file step.
Restart the Bindplane agent to apply the changes
To restart the Bindplane agent in Linux:
Run the following command:
sudo systemctl restart observiq-otel-collectorVerify the service is running:
sudo systemctl status observiq-otel-collectorCheck logs for errors:
sudo journalctl -u observiq-otel-collector -f
To restart the Bindplane agent in Windows:
Choose one of the following options:
- Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collector- Services console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
- Right-click and select Restart.
- Press
Verify the service is running:
sc query observiq-otel-collectorCheck logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
Configure auditd to forward logs via syslog
The audisp syslog plugin forwards audit events to syslog, which then sends them to the Bindplane agent. This is the recommended method for forwarding auditd logs.
Install the audisp syslog plugin
- Sign in to the Linux host running auditd with root or sudo privileges.
Install the
audispd-pluginspackage:- RHEL/CentOS/Fedora:
sudo yum install audispd-plugins- Debian/Ubuntu:
sudo apt install audispd-plugins
Configure the syslog plugin
Edit the syslog plugin configuration file:
sudo nano /etc/audit/plugins.d/syslog.confSet the following values in the file:
active = yes direction = out path = /sbin/audisp-syslog type = always args = LOG_LOCAL6 format = string- active: Set to
yesto enable the plugin. - path: The path to the
audisp-syslogbinary. - type: Set to
alwaysto run the plugin as an external program. - args: The syslog facility to use.
LOG_LOCAL6is recommended to separate audit logs from other syslog messages. - format: Set to
stringto pass events in a text format suitable for syslog.
- active: Set to
Configure audit rules (optional)
Edit the audit rules file to define which events to capture:
sudo nano /etc/audit/rules.d/audit.rulesAdd rules based on your monitoring requirements. For example:
## Delete all existing rules -D ## Set buffer size (increase for high-volume systems) -b 8192 ## Set failure mode (1 = printk, 2 = panic) -f 1 ## Monitor authentication-related files -w /etc/passwd -p wa -k identity -w /etc/group -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k sudoers ## Monitor login events -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins ## Monitor process execution -a always,exit -F arch=b64 -S execve -k exec ## Monitor network configuration changes -a always,exit -F arch=b64 -S sethostname -S setdomainname -k network ## Make the configuration immutable (must be the last rule) -e 2Load the new audit rules:
sudo augenrules --load
Restart auditd
Restart the auditd service to apply the plugin and rules changes:
sudo service auditd restart
Configure rsyslog to forward audit logs to Bindplane
Create a new rsyslog configuration file for audit log forwarding:
sudo nano /etc/rsyslog.d/audit-forward.confAdd the following line to forward logs via UDP to the Bindplane agent:
local6.* @<BINDPLANE_IP>:514Restart rsyslog to apply the changes:
sudo systemctl restart rsyslog
Verify log forwarding
On the source Linux host, generate a test audit event:
sudo auditctl -w /tmp/test_audit -p wa -k test_chronicleTrigger the watch by touching the file:
touch /tmp/test_auditOn the Bindplane agent host, verify that logs are being received:
sudo journalctl -u observiq-otel-collector -f
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
acct |
target.user.userid |
Value taken from acct field. |
addr |
principal.ip |
Value taken from addr field if it is a valid IP address. |
arch |
additional.fields |
Added as a key-value pair with key "arch". |
auid |
principal.user.userid |
Value taken from auid field. Used as the audit user ID. |
comm |
target.process.command_line |
Value taken from comm field. |
cwd |
additional.fields |
Added as a key-value pair with key "cwd". |
exe |
target.process.file.full_path |
Value taken from exe field. |
exit |
additional.fields |
Added as a key-value pair with key "exit". |
gid |
principal.user.group_identifiers |
Value taken from gid field. |
hostname |
principal.hostname |
Value taken from hostname field. |
key |
security_result.detection_fields |
Added as a key-value pair with key "audit_key". |
msg |
metadata.description |
Parsed from the msg field. Contains the audit event message. |
name |
target.file.full_path |
Value taken from name field when applicable. |
node |
principal.hostname |
Value taken from node field if hostname is not present. |
op |
metadata.product_event_type |
Value taken from op field (operation type). |
pid |
principal.process.pid |
Value taken from pid field. |
ppid |
principal.process.parent_process.pid |
Value taken from ppid field. |
res |
security_result.action |
Set to "ALLOW" if res is "success" or "1". Set to "BLOCK" if res is "failed" or "0". |
ses |
network.session_id |
Value taken from ses field (session ID). |
subj |
principal.process.file.full_path |
Value taken from subj field (SELinux subject context). |
syscall |
additional.fields |
Added as a key-value pair with key "syscall". |
terminal |
additional.fields |
Added as a key-value pair with key "terminal". |
type |
metadata.product_event_type |
Value taken from type field (audit record type, e.g., SYSCALL, USER_LOGIN, EXECVE). |
uid |
principal.user.userid |
Value taken from uid field. |
metadata.event_type |
Derived from audit record type. Set to "USER_LOGIN" for login events, "USER_LOGOUT" for logout events, "PROCESS_LAUNCH" for exec events, "FILE_MODIFICATION" for file events. Defaults to "GENERIC_EVENT". | |
metadata.product_name |
Set to "auditd". | |
metadata.vendor_name |
Set to "Linux". | |
home |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
shell |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
name |
event.idm.read_only_udm.target.user.userid |
Mapped from changelog |
name |
event.idm.read_only_udm.target.group.group_display_name |
Mapped from changelog |
UID |
event.idm.read_only_udm.target.user.product_object_id |
Mapped from changelog |
GID |
event.idm.read_only_udm.target.user.group_identifiers |
Mapped from changelog |
GID |
event.idm.read_only_udm.target.group.product_object_id |
Mapped from changelog |
key_type |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
hash |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
key_fingerprint |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
user |
event.idm.read_only_udm.target.user.userid |
Mapped from changelog |
error_detail1 |
event.idm.read_only_udm.security_result.summary |
Mapped from changelog |
service_name |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
ssh_disconnect_code |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
labels.bp_csoc |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
labels.bp_env_id |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
labels.log.file.name |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
resource.labels.node_id |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
intermediary_host |
event.idm.read_only_udm.intermediary.hostname |
Mapped from changelog |
PWD |
event.idm.read_only_udm.target.file.full_path |
Mapped from changelog |
log_details |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
indicator.SUID |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
indicator.UID |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
indicator.AUID |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
type_crypto_props.msg |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
usr |
event.idm.read_only_udm.principal.user.userid |
Mapped from changelog |
pi |
event.idm.read_only_udm.principal.process.pid |
Mapped from changelog |
cmnd |
event.idm.read_only_udm.target.process.command_line |
Mapped from changelog |
proctitle_value |
event.idm.read_only_udm.principal.process.file.full_path |
Mapped from changelog |
filename |
event.idm.read_only_udm.principal.process.file.names |
Mapped from changelog |
filepath |
event.idm.read_only_udm.target.file.full_path |
Mapped from changelog |
uid |
event.idm.read_only_udm.principal.user.userid |
Mapped from changelog |
acct |
event.idm.read_only_udm.principal.user.user_display_name |
Mapped from changelog |
exe |
event.idm.read_only_udm.target.process.file.full_path |
Mapped from changelog |
pid |
event.idm.read_only_udm.principal.process.pid |
Mapped from changelog |
auid |
event.idm.read_only_udm.about.user.userid |
Mapped from changelog |
ses |
event.idm.read_only_udm.network.session_id |
Mapped from changelog |
addr |
event.idm.read_only_udm.principal.ip and event.idm.read_only_udm.principal.asset.ip |
Mapped from changelog |
subj |
event.idm.read_only_udm.additional.fields |
Mapped from changelog |
res |
event.idm.read_only_udm.security_result.summary |
Mapped from changelog |
op |
event.idm.read_only_udm.security_result.summary |
Mapped from changelog |
msg_value |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
grantors_value |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
indicator.msg |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
indicator.grantors |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
terminal |
event.idm.read_only_udm.principal.application |
Mapped from changelog |
sec_result |
event.idm.read_only_udm.security_result |
Mapped from changelog |
hostname |
event.idm.read_only_udm.principal.hostname |
Mapped from changelog |
indicator.mode |
event.idm.read_only_udm.src.user.attribute.permissions |
Mapped from changelog |
indicator.nametype |
event.idm.read_only_udm.security_result.rule_name |
Mapped from changelog |
indicator.cap_frootid |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
indicator.cap_fver |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
indicator.cap_fi |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
indicator.cap_fp |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
indicator.cap_fe |
event.idm.read_only_udm.security_result.detection_fields |
Mapped from changelog |
OUID |
event.idm.read_only_udm.principal.user.userid |
Mapped from changelog |
OGID |
event.idm.read_only_udm.principal.group.group_display_name |
Mapped from changelog |
action_data |
event.idm.read_only_udm.security_result.action_details |
Mapped from changelog |
target_email |
event.idm.ready_only_udm.target.user.email_addresses |
Mapped from changelog |
target_port |
event.idm.ready_only_udm.target.port |
Mapped from changelog |
status |
event.idm.ready_only_udm.security_result.action_details |
Mapped from changelog |
to_email |
event.idm.ready_only_udm.network.email.to |
Mapped from changelog |
target_hostname |
event.idm.ready_only_udm.target.hostname |
Mapped from changelog |
"relay_data" |
event.idm.ready_only_udm.additional.fields |
Mapped from changelog |
"delays_data" |
event.idm.ready_only_udm.additional.fields |
Mapped from changelog |
"delay_data" |
event.idm.ready_only_udm.additional.fields |
Mapped from changelog |
and "dns_data" |
event.idm.ready_only_udm.additional.fields |
Mapped from changelog |
bytes_sent |
event.idm.ready_only_udm.network.sent_bytes |
Mapped from changelog |
bytes_received |
event.idm.ready_only_udm.network.received_bytes |
Mapped from changelog |
response_code |
event.idm.ready_only_udm.network.http.response_code |
Mapped from changelog |
principal_user_name |
principal.user.userid |
Mapped from changelog |
remote |
principal.ip |
Mapped from changelog |
method |
network.http.method |
Mapped from changelog |
path |
principal.file.full_path |
Mapped from changelog |
code |
additional.fields |
Mapped from changelog |
size |
principal.file.size |
Mapped from changelog |
agent |
network.http.user_agent |
Mapped from changelog |
az |
principal.location.name |
Mapped from changelog |
ec2_instance_id |
principal.asset.product_object_id |
Mapped from changelog |
private_ip |
principal.ip |
Mapped from changelog |
ProviderName |
additional.fields |
Mapped from changelog |
Version |
additional.fields |
Mapped from changelog |
Task |
additional.fields |
Mapped from changelog |
EventRecordID |
additional.fields |
Mapped from changelog |
ThreadID |
additional.fields |
Mapped from changelog |
messageType |
target.resource.attribute.labels |
Mapped from changelog |
owner |
principal.user.userid |
Mapped from changelog |
logevent.id |
metadata.product_log_id |
Mapped from changelog |
logGroup |
secu_result.about.resource.name |
Mapped from changelog |
logStream |
secu_result.about.resource.attribute.labels |
Mapped from changelog |
ip_addr |
principal.ip |
Mapped from changelog |
gd |
secu_result.description |
Mapped from changelog |
process |
target.application |
Mapped from changelog |
pid |
target.process.pid |
Mapped from changelog |
status_code |
network.http.response_code |
Mapped from changelog |
url |
network.http.referral_url |
Mapped from changelog |
useragent |
network.http.user_agent |
Mapped from changelog |
request |
additional.fields |
Mapped from changelog |
tls_version |
network.tls.version |
Mapped from changelog |
hostname_is |
principal.hostname |
Mapped from changelog |
referrer |
network.http.referral_url |
Mapped from changelog |
metadata.event_type |
USER_LOGIN |
Mapped from changelog |
metadata.event_type |
PROCESS_UNCATEGORIZED |
Mapped from changelog |
srcIP |
principal.ip |
Mapped from changelog |
username |
principal.user.user_display_name |
Mapped from changelog |
type_syscall_props.msg |
additional.fields |
Mapped from changelog |
sw", "sw_type", and "subj |
security_result.detection_fields |
Mapped from changelog |
indicator.SYSCALL |
security_result.detection_fields |
Mapped from changelog |
exe |
principal.process.file.full_path |
Mapped from changelog |
target.user.userid |
principal.user.userid |
Mapped from changelog |
target_user_name |
target.user.userid |
Mapped from changelog |
field |
field33 |
Mapped from changelog |
fp |
network.tls.client.certificate.sha256 |
Mapped from changelog |
pid |
principal.process.pid |
Mapped from changelog |
syslog-tag |
security_result.detection_fields |
Mapped from changelog |
inter_ip |
intermediary.ip |
Mapped from changelog |
inter_hostname |
intermediary.hostname |
Mapped from changelog |
grp |
target.group.group_display_name |
Mapped from changelog |
id |
about.user.userid |
Mapped from changelog |
acct |
target.user.user_display_name |
Mapped from changelog |
uid |
principal.user.userid |
Mapped from changelog |
auid |
about.user.userid |
Mapped from changelog |
auid |
target.user.userid |
Mapped from changelog |
op" and "id |
security_result.summary |
Mapped from changelog |
op" and "acct |
security_result.summary |
Mapped from changelog |
labels.compute.googleapis.com/resource_name","jsonPayload._HOSTNAME" , "CollectorHostName", "HOSTNAME", and "Computer |
principal.hostname |
Mapped from changelog |
HostIP |
principal.ip |
Mapped from changelog |
ProcessID" and "jsonPayload._PID |
principal.process.pid |
Mapped from changelog |
SyslogMessage |
metadata.description |
Mapped from changelog |
TenantId", "_ItemId", "_Internal_WorkspaceResourceId", "_ResourceId", and "Facility |
additional.fields |
Mapped from changelog |
SeverityLevel |
security_result.severity |
Mapped from changelog |
SourceSystem |
principal.platform |
Mapped from changelog |
jsonPayload._COMM |
principal.application |
Mapped from changelog |
jsonPayload._EXE |
target.process.file.full_path |
Mapped from changelog |
jsonPayload._AUDIT_FIELD_FILE |
target.file.full_path |
Mapped from changelog |
jsonPayload._AUDIT_FIELD_HASH |
target.file.hash |
Mapped from changelog |
jsonPayload._AUDIT_SESSION |
network.session_id |
Mapped from changelog |
jsonPayload._PPID |
principal.process.parent_process.pid |
Mapped from changelog |
jsonPayload._AUDIT_FIELD_A0", "jsonPayload._AUDIT_FIELD_A1", "jsonPayload._AUDIT_FIELD_A2", "jsonPayload._AUDIT_FIELD_A3", "jsonPayload._BOOT_ID", and "jsonPayload._AUDIT_FIELD_EXIT |
security_result.detection_fields |
Mapped from changelog |
id |
target.user.userid |
Mapped from changelog |
ID |
target.user.user_display_name |
Mapped from changelog |
user_name |
principal.user.userid |
Mapped from changelog |
principal_user_userid |
principal.user.userid |
Mapped from changelog |
vendor_name |
Linux |
Mapped from changelog |
product_name |
AuditD |
Mapped from changelog |
ip |
target.ip |
Mapped from changelog |
success |
security_result.summary |
Mapped from changelog |
syscall", "exit", "tty", "a0", "a1", "a2", "a3 |
security_result.about.labels |
Mapped from changelog |
Change Log
View the Change Log for this parser
Need more help? Get answers from Community members and Google SecOps professionals.