Sindbad~EG File Manager

# Output format.
# Value values are: oms, json, msgpack, raw
#
#output_format = oms

# The path to the output socket
#
#output_socket =

# Enable ack mode.
# When true auome will expect events to be acked.
# On connection loss or restart, un-acked events will be re-transmitted.
#
#enable_ack_mode = false

# Ack queue size.
# The number of un-acked events that sent before waiting for acks.
#
#ack_queue_size = 1000

#
# All parameters below are only valid for the oms output format.
#

# If true, the raw record text is included in the message. The field name
# is controled by the 'RawTextFieldName parameter.
#
#include_full_raw_text = true

# The name of the field that will contain the raw event record text.
#
#raw_text_field_name = raw

# The name to be used for the event timestamp field.
#
#timestamp_field_name = Timestamp

# The name to be used for the event serial field.
#
#serial_field_name = SerialNumber

#records_field_name = records
#record_type_field_name = RecordTypeCode
#record_type_name_field_name = RecordType
#field_suffix = -r

# Override the record_type code to record_type name translation provided by libaudit
# for a specific set of record_type_codes. This can be helpfull in cases where the
# kernel is generating audit records not yet recognized by libaudit.
#
# This property expects a valid JSON object/map. The value starts with '{'
# and ends with '}' and may span multiple lines.
#
# For example:
# The Ubuntu 14.04 kernel generates PROCTITLE (code 1327) records but libaudit doesn't recognize
# that code. So, a property value of '{ "1327": "PROCTITLE" }' would ensure
# that on output, the record_type name would be PROCTITLE instead of UNKNOWN[1327]
#
record_type_name_overrides = {
"1327": "PROCTITLE"
}

# Override field names. When field_emit_mode is RAW or BOTH, this override is applied to
# the field name of the raw value. When field_emit_mode is BOTH, this override takes precedence
# if field_name_dedup_suffix_raw_field=true. Instead of appending field_suffix, the override
# name will be used.
#
# This property expects a valid JSON object/map. The value starts with '{'
# and ends with '}' and may span multiple lines.
#
# For example, if one wants to have 'uid' output as 'user_id', one could use a
# property value of '{ "uid": "user_id" }'
#
#field_name_overrides = {}

# Override field names. When field_emit_mode is INTERP or BOTH, this override is applied to
# to the interpreted value. When field_emit_mode is BOTH, this override takes precedence
# if field_name_dedup_suffix_raw_field=false. Instead of appending field_suffix, the override
# name will be used.
#
# This property expects a valid JSON object/map. The value starts with '{'
# and ends with '}' and may span multiple lines.
#
# For example, if one wants to have interpreted 'uid' output as 'user_name',
# one could use a property value of '{ "uid": "user_name" }'
#
interpreted_field_names = {
"uid": "user",
"auid": "audit_user",
"euid": "effective_user",
"suid": "set_user",
"fsuid": "filesystem_user",
"inode_uid": "inode_user",
"oauid": "o_audit_user",
"ouid": "o_user",
"obj_uid": "obj_user",
"sauid": "sender_audit_user",
"gid": "group",
"egid": "effective_group",
"fsgid": "filesystem_group",
"inode_gid": "inode_group",
"new_gid": "new_group",
"obj_gid": "obj_group",
"ogid": "owner_group",
"sgid": "set_group"
}

# Filter records based on event flags.
#
# If the event was flagged based on process_flags and the any of the flag bits
# are present in this mask, then the event will be filtered.
#
filter_flags_mask = 4

# Filter record types. Listed record types will be filtered from output messages.
#
# This property expects a valid JSON array. The value starts with '[' and ends with ']'
# and may span multiple lines.
#
filter_record_types = [
"BPRM_FCAPS",
"CRED_ACQ",
"CRED_DISP",
"CRED_REFR",
"CRYPTO_KEY_USER",
"CRYPTO_SESSION",
"LOGIN",
"PROCTITLE",
"USER_ACCT",
"USER_CMD",
"USER_END",
"USER_LOGOUT",
"USER_START"
]

# Filter field names. Listed fields will be filtered from output messages.
#
# This property expects a valid JSON array. The value starts with '[' and ends with ']'
# and may span multiple lines.
#
filter_field_names = [
"arch_r",
"ses_r",
"mode_r"
]