Auditd event is not composed fully by audit log_format
31 views
Skip to first unread message
Roman
Mar 23, 2026, 3:05:30 PM (2 days ago) Mar 23
to Wazuh | Mailing List
Hello,
I faced an issue with some events from auditd. Seemingly identical events composed differently by wazuh.
event_ok is composed, decoded correctly.
event_f is not composed and consists only of one line type=SYSCALL, although in audit.log there are other blocks with same id (msg=audit).
That leads to empty event in wazuh dashboard which can't be analyzed (no arguments, no path, etc.).
Could you please help me with troubleshooting of this issue?
fabio.c...@wazuh.com
Mar 23, 2026, 4:22:53 PM (2 days ago) Mar 23
to Wazuh | Mailing List
Hello Roman,
Looking at the raw files, both events actually have the same structure, including a `nametype=NORMAL` that appears split across two physical lines in the PATH record.
Can you check the raw audit.log directly on the agent?
```
grep "7036003" /var/log/audit/audit.log
```
If the line-split is present in the original log, the next step is to confirm whether logcollector is failing because of it. You can check that with `logcollector.debug=2`, so you'd need to temporarily enable that in `internal_options.conf`:
```
logcollector.debug=2
```
Then after restarting and reproducing, check:
```
grep "invalid syntax" /var/ossec/logs/ossec.log | tail -20
```
Also, what's the agent version?
```
/var/ossec/bin/wazuh-control info
```
Can you check the raw audit.log directly on the agent?
```
grep "7036003" /var/log/audit/audit.log
```
If the line-split is present in the original log, the next step is to confirm whether logcollector is failing because of it. You can check that with `logcollector.debug=2`, so you'd need to temporarily enable that in `internal_options.conf`:
```
logcollector.debug=2
```
Then after restarting and reproducing, check:
```
grep "invalid syntax" /var/ossec/logs/ossec.log | tail -20
```
Also, what's the agent version?
```
/var/ossec/bin/wazuh-control info
```
Greetings,
Roman
Mar 24, 2026, 5:39:16 AM (yesterday) Mar 24
to Wazuh | Mailing List
Hello, Fabio.
Thank you for quick response.
I'll enable debug on several agents and monitor the situation. It's quite random and audit.log rotates itself fast (default is 8Mb). I've changed default settings for audit.log rotation. I'll let you know, what I find.
Agent version is
/var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.13.1"
WAZUH_REVISION="rc1"
WAZUH_TYPE="agent"
WAZUH_VERSION="v4.13.1"
WAZUH_REVISION="rc1"
WAZUH_TYPE="agent"
Roman
6:56 AM (9 hours ago) 6:56 AM
to Wazuh | Mailing List
Hello, Fabio
I've got another event that is not composed. msg=audit(1774423861.441:7287850)
And what's unusual is that there is PROCTILE from previous event in the middle. Maybe that is what breaks compose.
type=EXECVE msg=audit(1774423861.438:7287849): ...
type=PATH msg=audit(1774423861.438:7287849): ...
type=PATH msg=audit(1774423861.438:7287849): ...
type=SYSCALL msg=audit(1774423861.441:7287850): arch=c000003e syscall=59 success=yes exit=0 a0=5595de126220 a1=5595de126b00 a2=5595de121a00 a3=8 items=2 ppid=3048132 pid=3048133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=kernel key="sbin_susp" ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1774423861.438:7287849): proctitle=677265700064656661756C74
type=EXECVE msg=audit(1774423861.441:7287850): ...
type=PATH msg=audit(1774423861.438:7287849): ...
type=PATH msg=audit(1774423861.438:7287849): ...
type=SYSCALL msg=audit(1774423861.441:7287850): arch=c000003e syscall=59 success=yes exit=0 a0=5595de126220 a1=5595de126b00 a2=5595de121a00 a3=8 items=2 ppid=3048132 pid=3048133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=kernel key="sbin_susp" ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1774423861.438:7287849): proctitle=677265700064656661756C74
type=EXECVE msg=audit(1774423861.441:7287850): ...
But there are no errors in ossec.log
read_audit.c just reads the lines and goes on.
In the attachments are extract from audit.log, full ossec.log with debug=2
Reply all
Reply to author
Forward
0 new messages