Hello,

I was parsing auditd log entries with logstash's grok, which uses the oniguruma regex library, and noticed that auditd inserts an INFORMATION SEPARATOR THREE (1D) character between the regular log entries and the ones belonging in the ENRICHED category.

An example:
type=SYSCALL msg=audit(1471629018.000:37047): arch=c000003e syscall=2 success=yes exit=9 a0=7ffd2bf00d70 a1=42 a2=180 a3=8 items=2 ppid=23314 pid=30073 auid=1004 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=57 comm="sshd" exe="/usr/sbin/sshd" key="login_session"^]ARCH=x86_64 SYSCALL=open AUID="someone" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

^] - denotes where the 1D character is, as seen by grep in a standard terminal.

I was not understanding how a regular expression was intermittently failing to parse the same log entry, fired an hex viewer and found that character there, which was stripped by the online debugger I was using for logstash.