Your question is very broad - I would start by googling / audit.rules, auditd and audispd to understand how the auditing works on linux. The audit rules on the systems you are monitoring will dictate what activity will be audited.

You may not actually need a flex, depending on your requirements... things like the syslog SmartConnector already do a decent job of normalising audit logs from linux systems. The problem you may hit is that most of the interesting data is put into the "Additional Data" fields, as well as not translating some field values in the audit logs to be human-readable (and thus not very usable without mapping those ad.fields to usable ones - such as device custom string x and the like).

Adam,

Thanks for the info, and believe me I have Google's auditd, audit.rules, and audisp looking for answers!

What I am trying to do is create specific rules to capture security related events, such as the use of the 'mount' and 'umount' commands along with su and sudo usage/attempts. I have been successful with these, but was hoping for more events. It appears that I get the best results with the USER_CMD messagetype, which is why I was looking for more information.

By the way, I have found a way to capture human readable information (user names etc.) using the ausearch -i command.

Steve

Have you considered using auditd and it's associated logs?

The syslog connector will parse auditd messages by default and auditd is way more informative than std Unix syslog

You didn't read any of this thread, did you?

Yeah I read it. I'm just supporting what you were saying. If you have an issue, use a PM.