Linux Audit Log Parser (mmaudit)#
Module Name: |
mmaudit |
Author: |
|
Available since: |
7.x series (introduced during the rsyslog v7 development cycle) |
Purpose#
The mmaudit message modification module detects Linux Audit records
and exposes their data as structured properties. When a message
matches the expected auditd format the module parses the record and adds
a JSON subtree under $!audit. Subsequent actions can query those
fields when routing, filtering, or formatting audit events.
The plugin is optional at build time. Use
./configure --enable-mmaudit to compile it when building rsyslog
from source.
Message detection and parsing#
mmaudit operates on the raw message string. After trimming leading
whitespace the module expects the record to start with
type=<digits> audit(. Messages that do not match this pattern are
left untouched.
When the prefix is present mmaudit extracts two header elements:
type – the numeric audit record type parsed from the digits that follow
type=.auditid – the identifier found between
audit(and the closing):(typicallytimestamp:sequence).
The remainder of the record is interpreted as a sequence of
whitespace-separated name=value pairs. Values may be unquoted (terminated
by a space) or wrapped in single or double quotes. The extracted data is inserted into a JSON
object called data beneath the $!audit subtree. Each value is
stored without surrounding quotes.
Note
The parser does not currently skip the terminating quote character.
As a result, the next field name begins with that quote (and possibly
a space). Access such fields either by spelling the generated name
literally (for example %$!audit!data!" exe%) or by using the
get_property() function to fetch the value by key.
JSON output structure#
After a successful parse the following properties become available:
$!audit!hdr!type– integer containing the numeric audit type.$!audit!hdr!auditid– the audit identifier string.$!audit!data– JSON object with one entry pername=valuepair in the record body.
The original message text is preserved. The module also sets the message
parse flag, so later actions can test if $parsesuccess == "on" to
check whether mmaudit produced structured data.
Configuration Parameters#
Note
Parameter names are case-insensitive; camelCase is recommended for readability.
Module Parameters#
This module has no module parameters.
Action Parameters#
This module has no action parameters. Simply configure
action(type="mmaudit") in the processing chain.
Usage example#
The snippet below parses audit records, writes the structured payload to an auxiliary file, and demonstrates how to access one of the generated fields.
module(load="mmaudit")
template(name="audit-json"
type="string"
string="%timegenerated% %HOSTNAME% %syslogtag% %$!audit%\n")
action(type="mmaudit")
if $parsesuccess == "on" then {
# The field name contains the quote that preceded it in the log.
set $.exe = get_property($!audit!data, '" exe');
action(type="omfile"
file="/var/log/audit-json.log"
template="audit-json")
}
Caveats#
mmauditperforms no authenticity checks. Any log line that matches the expected syntax is treated as an audit record.Only records that begin with a numeric
type=<digits>token followed by `` audit(`` are parsed. Records already translated to textual types (for exampletype=SYSCALL) are ignored.Field names following quoted values include the trailing quote from that value, as described above.
Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project
Contributing: Source & docs: rsyslog source project
© 2008–2026 Rainer Gerhards and others. Licensed under the Apache License 2.0.