// the find
Scribery/aushape
A library and a tool for converting audit logs to XML and JSON
Aushape converts Linux auditd log messages to JSON or XML, aggregating multi-record audit events into single structured objects. It works as a standalone tool or as an Audispd plugin for live streaming. The target audience is security engineers who want to ship audit logs to Elasticsearch or a SIEM without writing their own parser.
Handles the genuinely hard part of auditd parsing — multi-record event aggregation (SYSCALL + PROCTITLE + PATH records into one object) rather than naive line-by-line conversion. Built on libauparse, which means it inherits Red Hat's field-decoding logic instead of re-implementing it. The streaming mode via Audispd plugin works without polling or temp files. JSON schema and XSD are included, so consumers can validate output rather than guessing structure.
Dead project — last commit 2018, README itself says 'early development stage and anything can change.' The audit record format has drifted since then; newer kernel event types will produce incomplete or garbled output. Depends on autotools and libauparse, which means packaging on modern distros is friction (libauparse-dev is often an afterthought). No tests visible in the tree, which matters a lot for a parser where correctness is the entire point. The rsyslog-to-Elasticsearch setup it documents uses the deprecated `searchType` field that Elasticsearch dropped years ago.