laurel 0.1.0

Transform Linux Audit logs for SIEM usage
laurel-0.1.0 is not a library.
Visit the last successful build: laurel-0.6.2

Linux Audit – Usable, Robust, Easy Logging

Logs produced by the Linux Audit subsystem and auditd(8) contain information that can be very useful in a SIEM context (if a useful ruleset has been configured). However, the format is not well-suited for at-scale analysis: Events are usually split across different lines that have to be merged using a message identifier. Files and program executions are logged via PATH and EXECVE elements, but a limited character set for strings causes many of those entries to be hex-encoded. For a more detailed discussion, see Practical auditd(8) problems

LAUREL solves these problems by consuming audit events, parsing and transforming them into more data and writing them out as a JSON-based log format, while keeping all information intact that was part of the original audit log. It does not replace auditd(8) as the consumer of audit messages from the kernel. Instead, it uses the audisp ("audit dispatch") interface to receive messages via auditd(8). Therefore, it can peacefully coexist with other consumers of audit events (e.g. some EDR products).

Refer to JSON-based log format for a description of the log format.

We developed this tool because we were not content with feature sets and performance characteristics of existing projects and products. Please refer to Performacne for details.

Build from source

LAUREL is written in Rust. To build it, a reasonably recent Rust compiler (we currently use 1.48), cargo, and the libacl library and its header files (Debian: libacl1-dev, RedHat: libacl-devel) are required.

$ cargo build --release
$ sudo install -m755 target/release/laurel /usr/local/sbin/laurel

Configure, use

  • Create a dedicated user, e.g.:

    $ sudo useradd --system --home-dir /var/lib/laurel --create-home _laurel

  • Configure LAUREL, write to /etc/laurel/config.toml:

    directory = "/var/log/laurel"
user = "_laurel"

[auditlog]
file = "audit.log"
size = 1000000
generations = 10
read-users = [ "splunk" ]

  • Register LAUREL as an audisp plugin, write to (depending on your auditd version) /etc/audisp/plugins.d/laurel.conf or /etc/audit/plugins.d/laurel.conf:

    active = yes
direction = out
type = always
format = string
path = /usr/local/sbin/laurel
args = --config /etc/laurel/config.toml

  • Tell auditd(8) to re-evaluate its configuration

    $ sudo pkill -HUP auditd

License

GNU General Public License, version 3

Authors