fluent-plugin-go-audit-parser 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ba22e96bea2ae400b687602a97d450158e4ec505b84248dab397ff9b0ec9b229
+  data.tar.gz: f7891bcefd7796ca666561956162759745f32a1f6c7177279ba27ace1723fc02
+SHA512:
+  metadata.gz: a817930b2d24a2dc7ff04cd9375c57a9defe70d8492f9649ce8a54c5c540231f8c88853b60155b71e8f8a740dbefa8f387d52f84563ed787807bccb0b911db70
+  data.tar.gz: 89ecacbe447fccc5ee7ac1cb1476a1943e95e675ff7e71c0a69bbe55dce1e6fe79b69f012a14e256ba5bcabe446814d0da00b5f41820386f7d9fdb4338d436c3

data/Gemfile

@@ -0,0 +1,3 @@
+source "https://rubygems.org"
+
+gemspec

data/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,141 @@
+# fluent-plugin-go-audit-parser
+
+[go-audit](https://github.com/slackhq/go-audit) outputs audit logs in a raw json format.
+
+```
+{
+  "sequence": 1053,
+  "timestamp": "1626105161.783",
+  "messages": [
+    {
+      "type": 1300,
+      "data": "arch=c000003e syscall=257 success=yes exit=0 a0=55b5827dfaf0 a1=55b5827df360 a2=55b582819870 a3=8 items=2 ppid=10366 pid=10539 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts3 ses=47 comm=\"sudo\" exe=\"/usr/bin/sudo\" key=etcpasswd"
+    },
+    {
+    {
+      "type": 1302,
+      "data": "item=0 name=\"/etc/shadow\" inode=6948426 dev=fc:03 mode=0100640 ouid=0 ogid=42 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0"
+    },
+    {
+      "type": 1327,
+      "data": "proctitle=7375646F007461696C002D66002F7661722F6C6F672F676F2D61756469742E6C6F67"
+    }
+  ],
+  "uid_map": {
+    "0": "root",
+    "1000": "vagrant"
+  }
+}
+```
+
+This [Fluentd](https://fluentd.org/) plugin transforms go-audit logs and make it easy to be handled by modern log aggregators.
+
+```
+{
+  "sequence": 1053,
+  "messages": {
+    "syscall": {
+      "type": 1300,
+      "arch": "c000003e",
+      "syscall": 257,
+      "success": "yes",
+      "exit": "0",
+      "a0": "55b5827dfaf0",
+      "a1": "55b5827df360",
+      "a2": "55b582819870",
+      "a3": "8",
+      "items": "2",
+      "ppid": 10366,
+      "pid": 10539,
+      "auid": { "id": 1000, "name": "vagrant" },
+      "uid": { "id": 1000, "name": "vagrant" },
+      "gid": 1000,
+      "euid": { "id": 0, "name": "root" },
+      "suid": { "id": 0, "name": "root" },
+      "fsuid": { "id": 0, "name": "root" },
+      "egid": 1000,
+      "sgid": 1000,
+      "fsgid": 1000,
+      "tty": "pts3",
+      "ses": 47,
+      "comm": "sudo",
+      "exe": "/usr/bin/sudo",
+      "key": "etcpasswd"
+    },
+    "path": {
+      "type": 1302,
+      "item": "0",
+      "name": "/etc/shadow",
+      "inode": 6948416,
+      "dev": "fc:03",
+      "mode": "0100640",
+      "ouid": { "id": 0, "name": "root" },
+      "ogid": 42,
+      "rdev": "00:00",
+      "nametype": "NORMAL",
+      "cap_fp": "0",
+      "cap_fi": "0",
+      "cap_fe": "0",
+      "cap_fver": "0",
+      "cap_frootid": "0"
+    },
+    "proctitle": {
+      "type": 1327,
+      "proctitle": "sudo tail -f /var/log/go-audit.log"
+    }
+  },
+  "message_types": [ "syscall", "path", "proctitle" ]
+}
+```
+
+## Installation
+
+### RubyGems
+
+```
+$ gem install fluent-plugin-go-audit-parser
+```
+
+### Bundler
+
+Add following line to your Gemfile:
+
+```ruby
+gem "fluent-plugin-go-audit-parser"
+```
+
+And then execute:
+
+```
+$ bundle
+```
+
+## Configuration
+
+```
+<source>
+  @type tail
+  @id go-audit.tail
+  path /var/log/go-audit.log
+  <parse>
+    @type json
+  </parse>
+  tag audit
+</source>
+
+<filter audit>
+  @type go_audit_parser
+  @id go-audit.parser
+</filter>
+
+<match audit>
+  @type stdout
+  @id go-audit.stdout
+</match>
+```
+
+## Copyright
+
+* Copyright(c) 2021- haccht
+* License
+  * Apache License, Version 2.0

data/Rakefile

@@ -0,0 +1,13 @@
+require "bundler"
+Bundler::GemHelper.install_tasks
+
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs.push("lib", "test")
+  t.test_files = FileList["test/**/test_*.rb"]
+  t.verbose = true
+  t.warning = true
+end
+
+task default: [:test]

data/fluent-plugin-go-audit-parser.gemspec

@@ -0,0 +1,27 @@
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |spec|
+  spec.name    = "fluent-plugin-go-audit-parser"
+  spec.version = "0.1.0"
+  spec.authors = ["haccht"]
+  spec.email   = ["haccht@users.noreply.github.com"]
+
+  spec.summary       = %q{Fluentd plugin to transform go-audit log and make it easy to be handled by modern log aggregators.}
+  spec.description   = %q{Fluentd plugin to transform go-audit log and make it easy to be handled by modern log aggregators.}
+  spec.homepage      = "https://github.com/haccht/fluent-plugin-go-audit-parser"
+  spec.license       = "Apache-2.0"
+
+  test_files, files  = `git ls-files -z`.split("\x0").partition do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.files         = files
+  spec.executables   = files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = test_files
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 2.2.20"
+  spec.add_development_dependency "rake", "~> 13.0.6"
+  spec.add_development_dependency "test-unit", "~> 3.4.4"
+  spec.add_runtime_dependency "fluentd", [">= 0.14.10", "< 2"]
+end

data/lib/fluent/plugin/filter_go_audit_parser.rb

@@ -0,0 +1,312 @@
+#
+# Copyright 2021- haccht
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "fluent/plugin/filter"
+
+module Fluent
+  module Plugin
+    class GoAuditParserFilter < Fluent::Plugin::Filter
+      Fluent::Plugin.register_filter("go_audit_parser", self)
+
+      # https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h
+      # https://github.com/linux-audit/audit-userspace/blob/master/lib/libaudit.h
+      TYPES = {
+        1100 => 'user_auth',
+        1101 => 'user_acct',
+        1102 => 'user_mgmt',
+        1103 => 'cred_acq',
+        1104 => 'cred_disp',
+        1105 => 'user_start',
+        1106 => 'user_end',
+        1107 => 'user_avc',
+        1108 => 'user_chauthtok',
+        1109 => 'user_err',
+        1110 => 'cred_refr',
+        1111 => 'usys_config',
+        1112 => 'user_login',
+        1113 => 'user_logout',
+        1114 => 'add_user',
+        1115 => 'del_user',
+        1116 => 'add_group',
+        1117 => 'del_group',
+        1118 => 'dac_check',
+        1119 => 'chgrp_id',
+        1120 => 'test',
+        1121 => 'trusted_app',
+        1122 => 'user_selinux_err',
+        1123 => 'user_cmd',
+        1124 => 'user_tty',
+        1125 => 'chuser_id',
+        1126 => 'grp_auth',
+        1127 => 'system_boot',
+        1128 => 'system_shutdown',
+        1129 => 'system_runlevel',
+        1130 => 'service_start',
+        1131 => 'service_stop',
+        1132 => 'grp_mgmt',
+        1133 => 'grp_chauthtok',
+        1134 => 'mac_check',
+        1135 => 'acct_lock',
+        1136 => 'acct_unlock',
+        1137 => 'user_device',
+        1138 => 'software_update',
+        1200 => 'daemon_start',
+        1201 => 'daemon_end',
+        1202 => 'daemon_abort',
+        1203 => 'daemon_config',
+        1204 => 'daemon_reconfig',
+        1205 => 'daemon_rotate',
+        1206 => 'daemon_resume',
+        1207 => 'daemon_accept',
+        1208 => 'daemon_close',
+        1209 => 'daemon_err',
+        1300 => 'syscall',
+        1302 => 'path',
+        1303 => 'ipc',
+        1304 => 'socketcall',
+        1305 => 'config_change',
+        1306 => 'sockaddr',
+        1307 => 'cwd',
+        1309 => 'execve',
+        1311 => 'ipc_set_perm',
+        1312 => 'mq_open',
+        1313 => 'mq_sendrecv',
+        1314 => 'mq_notify',
+        1315 => 'mq_getsetattr',
+        1316 => 'kernel_other',
+        1317 => 'fd_pair',
+        1318 => 'obj_pid',
+        1319 => 'tty',
+        1320 => 'eoe',
+        1321 => 'bprm_fcaps',
+        1322 => 'capset',
+        1323 => 'mmap',
+        1324 => 'netfilter_pkt',
+        1325 => 'netfilter_cfg',
+        1326 => 'seccomp',
+        1327 => 'proctitle',
+        1328 => 'feature_change',
+        1329 => 'replace',
+        1330 => 'kern_module',
+        1331 => 'fanotify',
+        1332 => 'time_injoffset',
+        1333 => 'time_adjntpval',
+        1334 => 'bpf',
+        1335 => 'event_listener',
+        1400 => 'avc',
+        1401 => 'selinux_err',
+        1402 => 'avc_path',
+        1403 => 'mac_policy_load',
+        1404 => 'mac_status',
+        1405 => 'mac_config_change',
+        1406 => 'mac_unlbl_allow',
+        1407 => 'mac_cipsov4_add',
+        1408 => 'mac_cipsov4_del',
+        1409 => 'mac_map_add',
+        1410 => 'mac_map_del',
+        1411 => 'mac_ipsec_addsa',
+        1412 => 'mac_ipsec_delsa',
+        1413 => 'mac_ipsec_addspd',
+        1414 => 'mac_ipsec_delspd',
+        1415 => 'mac_ipsec_event',
+        1416 => 'mac_unlbl_stcadd',
+        1417 => 'mac_unlbl_stcdel',
+        1418 => 'mac_calipso_add',
+        1419 => 'mac_calipso_del',
+        1500 => 'aa',
+        1501 => 'apparmor_audit',
+        1502 => 'apparmor_allowed',
+        1503 => 'apparmor_denied',
+        1504 => 'apparmor_hint',
+        1505 => 'apparmor_status',
+        1506 => 'apparmor_error',
+        1507 => 'apparmor_kill',
+        1700 => 'anom_promiscuous',
+        1701 => 'anom_abend',
+        1702 => 'anom_link',
+        1703 => 'anom_creat',
+        1800 => 'integrity_data',
+        1801 => 'integrity_metadata',
+        1802 => 'integrity_status',
+        1803 => 'integrity_hash',
+        1804 => 'integrity_pcr',
+        1805 => 'integrity_rule',
+        1806 => 'integrity_evm_xattr',
+        1807 => 'integrity_policy_rule',
+        1899 => 'integrity_last_msg',
+        2000 => 'kernel',
+        2100 => 'anom_login_failures',
+        2101 => 'anom_login_time',
+        2102 => 'anom_login_sessions',
+        2103 => 'anom_login_acct',
+        2104 => 'anom_login_location',
+        2105 => 'anom_max_dac',
+        2106 => 'anom_max_mac',
+        2107 => 'anom_amtu_fail',
+        2108 => 'anom_rbac_fail',
+        2109 => 'anom_rbac_integrity_fail',
+        2110 => 'anom_crypto_fail',
+        2111 => 'anom_access_fs',
+        2112 => 'anom_exec',
+        2113 => 'anom_mk_exec',
+        2114 => 'anom_add_acct',
+        2115 => 'anom_del_acct',
+        2116 => 'anom_mod_acct',
+        2117 => 'anom_root_trans',
+        2118 => 'anom_login_service',
+        2119 => 'anom_login_root',
+        2120 => 'anom_origin_failures',
+        2121 => 'anom_session',
+        2200 => 'resp_anomaly',
+        2201 => 'resp_alert',
+        2202 => 'resp_kill_proc',
+        2203 => 'resp_term_access',
+        2204 => 'resp_acct_remote',
+        2205 => 'resp_acct_lock_timed',
+        2206 => 'resp_acct_unlock_timed',
+        2207 => 'resp_acct_lock',
+        2208 => 'resp_term_lock',
+        2209 => 'resp_sebool',
+        2210 => 'resp_exec',
+        2211 => 'resp_single',
+        2212 => 'resp_halt',
+        2213 => 'resp_origin_block',
+        2214 => 'resp_origin_block_timed',
+        2215 => 'resp_origin_unblock_timed',
+        2300 => 'user_role_change',
+        2301 => 'role_assign',
+        2302 => 'role_remove',
+        2303 => 'label_override',
+        2304 => 'label_level_change',
+        2305 => 'user_labeled_export',
+        2306 => 'user_unlabeled_export',
+        2307 => 'dev_alloc',
+        2308 => 'dev_dealloc',
+        2309 => 'fs_relabel',
+        2310 => 'user_mac_policy_load',
+        2311 => 'role_modify',
+        2312 => 'user_mac_config_change',
+        2313 => 'user_mac_status',
+        2400 => 'crypto_test_user',
+        2401 => 'crypto_param_change_user',
+        2402 => 'crypto_login',
+        2403 => 'crypto_logout',
+        2404 => 'crypto_key_user',
+        2405 => 'crypto_failure_user',
+        2406 => 'crypto_replay_user',
+        2407 => 'crypto_session',
+        2408 => 'crypto_ike_sa',
+        2409 => 'crypto_ipsec_sa',
+        2500 => 'virt_control',
+        2501 => 'virt_resource',
+        2502 => 'virt_machine_id',
+        2503 => 'virt_integrity_check',
+        2504 => 'virt_create',
+        2505 => 'virt_destroy',
+        2506 => 'virt_migrate_in',
+        2507 => 'virt_migrate_out',
+      }
+
+      def filter_with_time(tag, time, record)
+        if record.key?('messages') && record.key?('uid_map')
+          messages = record.delete('messages')
+          uid_map  = record.delete('uid_map')
+
+          new_messages = messages.each.with_object({}) do |message, new_messages|
+            type, data = message.values_at('type', 'data')
+
+            name = TYPES[type.to_i]
+            hash = { 'type' => type.to_i }
+            parseline(data).each do |key, val|
+              case key
+              when 'msg'
+                hash[key] = parseline(val)
+              when 'saddr'
+                hash[key] = sockaddr(val)
+              when 'proctitle'
+                hash[key] = packhex(val)
+              when 'uid', 'euid', 'suid', 'ouid', 'fsuid', 'auid'
+                hash[key] = uid(val, uid_map)
+              when 'gid', 'egid', 'sgid', 'ogid', 'fsgid'
+                hash[key] = val.to_i
+              when 'syscall', 'pid', 'ses', 'argc', 'inode'
+                hash[key] = val.to_i
+              else
+                hash[key] = val
+              end
+            end
+
+            new_messages.update(name => hash)
+          end
+
+          record['messages']      = new_messages
+          record['message_types'] = new_messages.keys
+        end
+
+        if record.key?('timestamp')
+          timestamp = record.delete('timestamp').to_f
+          time = Fluent::EventTime.from_time(Time.at(timestamp))
+        end
+
+        return time, record
+      end
+
+      def parseline(text)
+        regex = /([^\s=]+)=('[^']*'|"[^"]*"|\S+)/
+        text.scan(regex).each.with_object({}) do |(key, val), hash|
+          val = val[1..-2] if val.start_with?(/['"]/)
+          hash[key] = val
+        end
+      end
+
+      def uid(id, uid_map)
+        { 'id' => id.to_i, 'name' => uid_map[id] }
+      end
+
+      def packhex(text)
+        [text].pack("H*").gsub(/[^[:print:]]/, ' ')
+      end
+
+      def sockaddr(text)
+        addr = {}
+
+        case text[0, 2].hex + (256 * text[2, 2].hex)
+        when 1
+          pos = text.index('00', 4) - 4
+          pos = text.size - 4 if pos < 0
+          addr.update('family'    => 'local')
+          addr.update('path'      => packhex(text[4, pos]))
+          addr.update('unknown'   => text[pos+4..-1]) if text.size > pos + 5
+        when 2
+          addr.update('family'    => 'inet')
+          addr.update('port'      => (text[4, 2].hex * 256) + text[6, 2].hex)
+          addr.update('ip'        => text[8, 8].scan(/.{2}/).map{ |x| x.hex }.join("."))
+          addr.update('unknown'   => text[16..-1]) if text.length > 16
+        when 10
+          addr.update('family'    => 'inet6')
+          addr.update('port'      => (text[4, 2].hex * 256) + text[6, 2].hex)
+          addr.update('flow_info' => text[8, 8])
+          addr.update('ip'        => text[16, 32].scan(/.{4}/).map{ |x| x.downcase }.join(":"))
+          addr.update('scope_id'  => text[48, 8])
+          addr.update('unknown'   => text[56..-1]) if text.size > 56
+        else
+          addr.update('unknown' => text[4..-1])
+        end
+
+        addr
+      end
+    end
+  end
+end

data/test/helper.rb

@@ -0,0 +1,8 @@
+$LOAD_PATH.unshift(File.expand_path("../../", __FILE__))
+require "test-unit"
+require "fluent/test"
+require "fluent/test/driver/filter"
+require "fluent/test/helpers"
+
+Test::Unit::TestCase.include(Fluent::Test::Helpers)
+Test::Unit::TestCase.extend(Fluent::Test::Helpers)

data/test/plugin/test_filter_go_audit_parser.rb

@@ -0,0 +1,18 @@
+require "helper"
+require "fluent/plugin/filter_go_audit_parser.rb"
+
+class GoAuditParserFilterTest < Test::Unit::TestCase
+  setup do
+    Fluent::Test.setup
+  end
+
+  test "failure" do
+    flunk
+  end
+
+  private
+
+  def create_driver(conf)
+    Fluent::Test::Driver::Filter.new(Fluent::Plugin::GoAuditParserFilter).configure(conf)
+  end
+end

metadata

@@ -0,0 +1,117 @@
+--- !ruby/object:Gem::Specification
+name: fluent-plugin-go-audit-parser
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- haccht
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2021-07-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.20
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.20
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 13.0.6
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 13.0.6
+- !ruby/object:Gem::Dependency
+  name: test-unit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.4.4
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.4.4
+- !ruby/object:Gem::Dependency
+  name: fluentd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.14.10
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.14.10
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+description: Fluentd plugin to transform go-audit log and make it easy to be handled
+  by modern log aggregators.
+email:
+- haccht@users.noreply.github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- fluent-plugin-go-audit-parser.gemspec
+- lib/fluent/plugin/filter_go_audit_parser.rb
+- test/helper.rb
+- test/plugin/test_filter_go_audit_parser.rb
+homepage: https://github.com/haccht/fluent-plugin-go-audit-parser
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Fluentd plugin to transform go-audit log and make it easy to be handled by
+  modern log aggregators.
+test_files:
+- test/helper.rb
+- test/plugin/test_filter_go_audit_parser.rb