Provided by: laurel_0.5.6-3build1_amd64 bug

NAME
       laurel2audit(8) – transform Laurel logs to back to original Linux Audit format


SYNOPSIS
       This  is a simple filter that reads logs written by laurel(8) and outputs Linux Audit logs that the audit
       tools and laurel itself should be able to digest.


NOTES
       “Enriched” (i.e. ALL_CAPS) keys in audit records are discarded.

       EXECVE records are output on one, possibly very long, line.

       If laurel has transformed EXECVE argument lists to single strings  (ARGV_STR),  that  transformation  may
       have been lossy: There is no way to discern space characters as gaps between arguments from space charac‐
       ters as part of individual arguments.

       An  end-of-event  (EOE)  marker  is  output for every event.  This marker is not part of the original au‐
       dit.log file, but it has originally been transmitted by the kernel and is passed by auditd(8) to plugins.


BUGS
       • URL-encoded single bytes within strings are not yet handled.

       • Possibly more.


SEE ALSO
       laurel(8), aulast(8), aulastlog(8), aureport(8), ausearch(8), ausyscall(8), auvirt(8)


AUTHORS
       • Hilko Bengen <<bengen@hilluzination.de>>

laurel 0.5.6                                                                                     laurel2audit(8)