Adding audit log_format type

[atomicturtle]

Example:

<log_format>audit</log_format>
/var/log/audit/audit.log

This should handle auditd log rollovers more gracefully.

Signed-off-by: Scott R. Shinn scott@atomicorp.com

[atomicturtle]

More readable log entry, that got mangled in the commit:

  <localfile>
    <log_format>audit</log_format>
    <location>/var/log/audit/audit.log</location>
  </localfile>

[snaow]

Hi @atomicturtle!

Credits here to the Wazuh project.

Linux audit log integration was added to the Wazuh project in October 2016, which was including documentation, rules and decoders (with intense usage of dynamic fields, they were invented mostly for Audit).

October 2016 Wazuh

• Added audit log format to Logcollector - wazuh/wazuh@8f9d08c#diff-c91ef1d922649ab7713f5d299b353433
• Wazuh changelog updated - wazuh/wazuh@d3ca232#diff-4ac32a78649ca5bdd8e0ba38b7006a1eR41
• Wazuh docs - system call section updated - wazuh/wazuh-documentation@3b73f16#diff-f016b757c1f4a93f28e7a17673276148

December 2018 OSSEC

• Adding audit log_format type - (copying the file) - f4ef1f6#diff-c91ef1d922649ab7713f5d299b353433
• Update read_audit.c - (removing Wazuh copyright) - 623190d

It's good to see how OSSEC is getting more and more features from the Wazuh project, that is exactly the best thing about the open source software, different thing is, not to give credits to authors.

I hope you can keep the copyright and/or give the rightful credits, thanks!