changed filter

Saeid Hassan-Abadi · Saeid Hassan-Abadi · commit 9bbc7dd5d467 · 2023-08-25T17:53:29.000+02:00
diff --git a/filter-10-selinux.conf b/filter-10-selinux.conf
@@ -2,7 +2,7 @@ filter {
   grok {
     add_tag => "selinux"
     tag_on_failure => "selinux_failure"
-    overwrite => "[audit_type, audit_epoch, audit_counter]"
-    match => [ "message", "type=%{DATA:selinux_audit_type} msg=audit\(%{NUMBER:selinux_audit_epoch}:%{NUMBER:selinux_audit_counter}\): avc:%{SPACE}%{SPACE}%{DATA:selinux_avc}  \{ %{WORD:selinux_action} \} for  pid=%{NUMBER:selinux_pid} comm=\"%{DATA:selinux_command}\" ((src=%{DATA:selinux_source})?|(name=\"%{DATA:selinux_filename}\" dev=\"%{DATA:selinux_device}\" ino=%{NUMBER:selinux_inode})?) scontext=%{DATA:selinux_source_context} tcontext=%{DATA:selinux_target_context} tclass=%{DATA:selinux_target_class} permissive=%{NUMBER:selinux_permissive}" ]
+    match => [ "message", ": avc:%{SPACE}%{SPACE}%{DATA:[selinux][avc]}  \{ %{WORD:[selinux][action]} \} for  pid=%{NUMBER:[selinux][pid]} comm=\"%{DATA:[selinux][command]}\" ((src=%{DATA:[selinux][source]})?|(name=\"%{DATA:[selinux][filename]}\" dev=\"%{DATA:[selinux][device]}\" ino=%{NUMBER:[selinux][inode]})?) scontext=%{DATA:[selinux][source][context]} tcontext=%{DATA:[selinux][target][context]} tclass=%{DATA:[selinux][target][class]} permissive=%{NUMBER:[selinux][permissive]}" ]
        }
 }
+

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ filter {`
`2`	`2`	`grok {`
`3`	`3`	`add_tag => "selinux"`
`4`	`4`	`tag_on_failure => "selinux_failure"`
`5`		`- overwrite => "[audit_type, audit_epoch, audit_counter]"`
`6`		- match => [ "message", "type=%{DATA:selinux_audit_type} msg=audit\(%{NUMBER:selinux_audit_epoch}:%{NUMBER:selinux_audit_counter}\): avc:%{SPACE}%{SPACE}%{DATA:selinux_avc} \{ %{WORD:selinux_action} \} for pid=%{NUMBER:selinux_pid} comm=\"%{DATA:selinux_command}\" ((src=%{DATA:selinux_source})?\|(name=\"%{DATA:selinux_filename}\" dev=\"%{DATA:selinux_device}\" ino=%{NUMBER:selinux_inode})?) scontext=%{DATA:selinux_source_context} tcontext=%{DATA:selinux_target_context} tclass=%{DATA:selinux_target_class} permissive=%{NUMBER:selinux_permissive}" ]
	`5`	`+ match => [ "message", ": avc:%{SPACE}%{SPACE}%{DATA:[selinux][avc]} \{ %{WORD:[selinux][action]} \} for pid=%{NUMBER:[selinux][pid]} comm=\"%{DATA:[selinux][command]}\" ((src=%{DATA:[selinux][source]})?\|(name=\"%{DATA:[selinux][filename]}\" dev=\"%{DATA:[selinux][device]}\" ino=%{NUMBER:[selinux][inode]})?) scontext=%{DATA:[selinux][source][context]} tcontext=%{DATA:[selinux][target][context]} tclass=%{DATA:[selinux][target][class]} permissive=%{NUMBER:[selinux][permissive]}" ]`
`7`	`6`	`}`
`8`	`7`	`}`
	`8`	`+`