Auditd multi-line log format

It seems that for any given "event" that auditd picks up, there are on the order of four log lines added to the auditd log.

Is there any predictable pattern that can be used to group log file lines into a single event? Specifically, I'm looking for something that denotes the start and end of an event.

For example, it seems like "type=SYSCALL" denotes the start of an event. But auditd docs I've found show that there are a ton -- a ton, I tell ya -- of different record types and the implication to me is that "SYSCALL" might not always be the indicator of an event.

Even more specifically, I'm asking this because I am using Sumologic to analyze my logs and they have a regex-based way of grouping multi-line log data into a single event. I will be asking them this question as well, but since this is more a question about auditd than it is about Sumologic, I thought it would be useful to ask to this community.

I would recommend you use the ausearch utility to pre-process the logs before sending them to an analysis capability. Firstly, it inserts a event separator (four -'s) and it can optionally interpret the data to make it more readable (convert hex strings into text again, interpret uid's into usernames and you can use it's checkpointing capability to only gain new events on successive invocations (see the man page). You can also possibly use it to select events of interest as well.

I would point out Linux auditd events are quite complex and care should be taken in deciding what you need for analysis. Ideally, you should store the original logs (after ausearch -i) in a data store that can also normalize them into events for passing to an analysis capability or multiple analysis capabilities (in case one product doesn't answer all your questions).