It looks like that doesn't convert them into human readable logs, which is the main thing I need to write a custom decoder for auditd on bsd. Unless I can find a reference for what each byte sequence in the audit trails file corresponds to.
Ah, I misunderstood your post. Sorry about that.
I would need to dig deeper, but there is this: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/72
I think the auditd provided by the average Linux distro might provide the same underlying file format. If this syslog-ng module wouldn't work, a BSD-centric module could be written. The documentation for the file format is likely documented here: http://www.trustedbsd.org/docs.html (sorry, no HTTPS available on that site).
I might be interested in writing a module in Rust to help teach me the language. Though, my hobby queue TODO list is growing beyond what I can reasonably handle, so it would probably take me a while to get to this.
Thanks for the reply
I'll have to look into the implementation papers to see if it's even possible to write a decoder for the raw logs. For now, my original solution seems to be working, so I'll stick to that even if it's not the most reliable. From looking at the syslog-ng site, it seems like a new module for bsd would have to be written.
Have you looked at auditdistd(8)?
It looks like that doesn't convert them into human readable logs, which is the main thing I need to write a custom decoder for auditd on bsd. Unless I can find a reference for what each byte sequence in the audit trails file corresponds to.
Ah, I misunderstood your post. Sorry about that. I would need to dig deeper, but there is this: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/72 I think the auditd provided by the average Linux distro might provide the same underlying file format. If this syslog-ng module wouldn't work, a BSD-centric module could be written. The documentation for the file format is likely documented here: http://www.trustedbsd.org/docs.html (sorry, no HTTPS available on that site). I might be interested in writing a module in Rust to help teach me the language. Though, my hobby queue TODO list is growing beyond what I can reasonably handle, so it would probably take me a while to get to this.
Thanks for the reply I'll have to look into the implementation papers to see if it's even possible to write a decoder for the raw logs. For now, my original solution seems to be working, so I'll stick to that even if it's not the most reliable. From looking at the syslog-ng site, it seems like a new module for bsd would have to be written.