Tools −> Audit Explorer −> Documentation −> Manual −> ae_batch
ae_batch — audit explorer batch processing
ae_batch -src path -dst filename
[-filt filename] [-nt]
[-a] [-curl URL] [-curlopts options]
[-mail address] [-sleep seconds]
ae_batch is a command line tool inside the Audit Explorer application bundle that uses the Audit Explorer underlying engine to parse the the audit trails and save the analysis to a file. This file can then be opened by Audit Explorer to analyze the results.
While ae_batch can be run from the command line, it was originally designed to be run by launchd or a shell script at prescribed moments in time such as at boot up or when the audit log file is automatically rolled by auditd.
ae_batch can also be configured to send a summary of notable events (namely, the event flagged by the audit filter) to a specified email address. It can also upload the results to a web server (the audit server) via the curl command.
ae_batch does not rely on anything inside the application bundle, so it can be copied to another, perhaps more appropriate, directory. For example, you can copy it to /usr/local/bin.
$ sudo cp Audit\ /usr/local/bin/.
For a description of of how ae_batch can be used in a larger workflow, see the section Workflows.
ae_batch has two required arguments and six optional arguments. The required arguments are:
  • –src path — specify either the audit trail file or the directory containing BSM audit trail files. If path is a directory, the most recent BSM file not ending ".not_terminated" will be used.

  • –dst path — specify either the output file or directory. A ".nsqAE" will be appended to the file name. If path is a directory, the output filename will be the same as the BSM audit trail file used for input.
The optional arguments are:
  • –filt filename — specify the filter rules file. Matches from these filters will be found in Dashboard's Filter Events tab.

  • –nt — no throttle. By default a throttle is applied to limit the number of alerts generated for a filter rule. This option disables the throttle, so you get all alerts.

  • –a — archive (tar and compress) the results file. (The results file is actually a "bundle", which is a directory; that is why it is tarred up first). If the -curl option is used, the results will be archived automatically.

  • –curl URL — where to upload the results. For example, if you have a PHP script on a web server to accept archived uploads (think of it as an "audit server") you can use this to specify the web server and PHP script.

  • –curlopts options — specifies options added to the curl command. For example, adding '-k' lets you use self-signed certificates on your secure web/audit server.

  • –mail address — send summary of analysis (the results from filter matches) to this email address.

  • –sleep seconds — delay the specified amount of time before analyzing the input file. This is needed if you automatically run this program via launchd when there is a change to the audit trail directory (e.g., when the audit trail file is rotated). A delay of a few seconds (e.g., 5) allows the audit daemon to finish closing up the old file and start the new file.
/usr/local/bin/ae_batch -src /var/audit -dst /var/audit_results -filt /etc/security/sample_filter.nsqFilt -mail -curl -curlopts -k -sleep 5

@NetSquared_USA  copyright Net Squared, Inc., 2008-2013