# Output format.
# Value values are: oms, json, msgpack, raw, syslog
#
output_format = syslog

# The path to the output unix domain socket
#
#output_socket = 

# Enable ack mode.
# When true auome will expect events to be acked.
# On connection loss or restart, un-acked events will be re-transmitted.
#
#enable_ack_mode = false

# Ack queue size.
# The number of un-acked events that sent before waiting for acks.
#
#ack_queue_size = 1000

# If true, the raw record text is included in the message. The field name
# is controled by the 'RawTextFieldName parameter.
#
#include_full_raw_text = true

# The name of the field that will contain the raw event record text.
#
#raw_text_field_name = raw

# The name to be used for the event timestamp field.
#
#timestamp_field_name = Timestamp

# The name to be used for the event serial field.
#
#serial_field_name = SerialNumber

#records_field_name = records
#record_type_field_name = RecordTypeCode
#record_type_name_field_name = RecordType
#field_suffix = -r

# Override the record_type code to record_type name translation provided by libaudit
# for a specific set of record_type_codes. This can be helpfull in cases where the
# kernel is generating audit records not yet recognized by libaudit.
#
# This property expects a valid JSON object/map. The value starts with '{'
# and ends with '}' and may span multiple lines.
#
# For example:
# The Ubuntu 14.04 kernel generates PROCTITLE (code 1327) records but libaudit doesn't recognize
# that code. So, a property value of '{ "1327": "PROCTITLE" }' would ensure
# that on output, the record_type name would be PROCTITLE instead of UNKNOWN[1327]
#
record_type_name_overrides = {
"1327": "PROCTITLE"
}

# Override field names. When field_emit_mode is RAW or BOTH, this override is applied to
# the field name of the raw value. When field_emit_mode is BOTH, this override takes precedence
# if field_name_dedup_suffix_raw_field=true. Instead of appending field_suffix, the override
# name will be used.
#
# This property expects a valid JSON object/map. The value starts with '{'
# and ends with '}' and may span multiple lines.
#
# For example, if one wants to have 'uid' output as 'user_id', one could use a
# property value of '{ "uid": "user_id" }'
#
#field_name_overrides = {}

# Override field names. When field_emit_mode is INTERP or BOTH, this override is applied to
# to the interpreted value. When field_emit_mode is BOTH, this override takes precedence
# if field_name_dedup_suffix_raw_field=false. Instead of appending field_suffix, the override
# name will be used.
#
# This property expects a valid JSON object/map. The value starts with '{'
# and ends with '}' and may span multiple lines.
#
# For example, if one wants to have interpreted 'uid' output as 'user_name',
# one could use a property value of '{ "uid": "user_name" }'
#
interpreted_field_names = {
"uid": "user",
"auid": "audit_user",
"euid": "effective_user",
"suid": "set_user",
"fsuid": "filesystem_user",
"inode_uid": "inode_user",
"oauid": "o_audit_user",
"ouid": "o_user",
"obj_uid": "obj_user",
"sauid": "sender_audit_user",
"gid": "group",
"egid": "effective_group",
"fsgid": "filesystem_group",
"inode_gid": "inode_group",
"new_gid": "new_group",
"obj_gid": "obj_group",
"ogid": "owner_group",
"sgid": "set_group"
}

# Filter records based on event flags.
#
# If the event was flagged based on process_flags and the any of the flag bits
# are present in this mask, then the event will be filtered.
#
filter_flags_mask = 6

# Filter record types. Listed record types will be filtered from output messages.
#
# This property expects a valid JSON array. The value starts with '[' and ends with ']'
# and may span multiple lines.
#
filter_record_types = [
"BPRM_FCAPS",
"CRED_ACQ",
"CRED_DISP",
"CRED_REFR",
"CRYPTO_KEY_USER",
"CRYPTO_SESSION",
"LOGIN",
"PROCTITLE",
"USER_ACCT",
"USER_CMD",
"USER_END",
"USER_LOGOUT",
"USER_START"
]

# Filter field names. Listed fields will be filtered from output messages.
#
# This property expects a valid JSON array. The value starts with '[' and ends with ']'
# and may span multiple lines.
#
filter_field_names = [
"arch_r",
"ses_r",
"mode_r"
]


# process filters.  Processes that match will filter all or nominated syscalls from output.
# depth = 0 for does not propagate, positive integer for number of child depth level to propagate to, -1 for infinite.
# If a process matches a filter, then it ignores any propagated filters from parents.
# user and group can be name or id.
# syscalls is list of syscalls by name (x64).
# exeMatchType can be one of {"MatchEquals", "MatchStartsWith", "MatchContains", "MatchRegex"}.
# exeMatchValue matches executable filename.
# cmdlineFilters is a list of combined filters matching on the command line.
# cmdlineFilters filters require a "matchType" and "matchValue" and work the same way as the exe match.

process_filters = [
    {
        "depth": -1,
        "user": "omsagent",
        "exeMatchType": "MatchEquals",
        "exeMatchValue": "/opt/microsoft/omsagent/ruby/bin/ruby",
        "cmdlineFilters": [
            {
                "matchType": "MatchStartsWith",
                "matchValue": "/opt/microsoft/omsagent/ruby/bin/ruby /opt/microsoft/omsagent/bin/omsagent"
            }
        ]
    },
    {
        "depth": -1,
        "user": "omsagent",
        "cmdlineFilters": [
            {
                "matchType": "MatchStartsWith",
                "matchValue": "/bin/sh -c \"/opt/omi/bin/OMSConsistencyInvoker"
            }
        ]
    },
    {
        "depth": -1,
        "user": "root",
        "exeMatchType": "MatchEquals",
        "exeMatchValue": "/opt/omi/bin/omiserver"
    },
    {
        "depth": -1,
        "user": "root",
        "cmdlineFilters": [
            {
                "matchType": "MatchStartsWith",
                "matchValue": "/usr/bin/python"
            },
            {
                "matchType": "MatchContains",
                "matchValue": " -u /usr/sbin/waagent -daemon"
            }
        ]
    },
    {
        "depth": -1,
        "user": "root",
        "exeMatchType": "MatchEquals",
        "exeMatchValue": "/usr/bin/dpkg",
        "syscalls": ["openat", "connect", "unlink", "fchown"]
    },
    {
        "depth": -1,
        "user": "root",
        "exeMatchType": "MatchEquals",
        "exeMatchValue": "/bin/rpm",
        "syscalls": ["connect", "openat", "unlink", "fchown"]
    },
    {
        "depth": 0,
        "user": "root",
        "cmdlineFilters": [
            {
                "matchType": "MatchStartsWith",
                "matchValue": "/bin/sh -c"
            },
            {
                "matchType": "MatchContains",
                "matchValue": "[ -f /etc/krb5.keytab ]"
            },
            {
                "matchType": "MatchContains",
                "matchValue": "! -f /etc/opt/omi/creds/omi.keytab"
            }
        ]
    },
    {
        "depth": -1,
        "user": "root",
        "cmdlineFilters": [
            {
                "matchType": "MatchStartsWith",
                "matchValue": "/bin/sh -c \"/usr/sbin/logrotate /etc/logrotate.d/omsagent*"
            }
        ]
    },
    {
        "depth": -1,
        "user": "root",
        "cmdlineFilters": [
            {
                "matchType": "MatchStartsWith",
                "matchValue": "/bin/sh -c \"/usr/sbin/logrotate -s /var/lib/logrotate/omsagent-status "
            }
        ]
    },
    {
        "depth": -1,
        "user": "root",
        "cmdlineFilters": [
            {
                "matchType": "MatchStartsWith",
                "matchValue": "/bin/sh -c \"/usr/sbin/logrotate -s /etc/logrotate.d/omi "                                                                                                 }
        ]
    },
    {
        "depth": 0,
        "exeMatchType": "MatchEquals",
        "exeMatchValue": "/lib/systemd/systemd-resolved",
        "syscalls": ["connect"]
    },
    {
        "depth": 0,
        "exeMatchType": "MatchEquals",
        "exeMatchValue": "/usr/sbin/nscd",
        "syscalls": ["connect"]
    }
]