Skip to content
This repository has been archived by the owner on Jan 20, 2022. It is now read-only.

Latest commit

 

History

History
executable file
·
40 lines (21 loc) · 2.15 KB

README.md

File metadata and controls

executable file
·
40 lines (21 loc) · 2.15 KB

#Linux Audit Heka Plugin (GO)

Note:

The project has now been divided into two parts, the API to deal with linux kernel audit framework is now provided by libaudit-go (in current development) and the client (audit-go) which provides an example to leverage libaudit-go.


This project aims to deliver the same functionality as Linux Audit (auditd, audispd) + audisp-cef/json but in native Go as a plugin to Heka.

Currently the project listen for events from the kernel via the Netlink protocol and parse the messages and save them in /tmp/log.

Currently the Heka plugin is provided externally. Heka reads input using Logstreamer from the file saved by audit-go and uses a custom lua decoder (SandBoxed decoder in Heka) defined in audit_decoder.lua which parses the audit messages and convert them to Heka Messages.

The messages are then converted to JSON format using ESJsonEncoder of Heka.

To run with heka:

  • Move the decoder to decoders directory of Heka.

    cp audit_decoder.lua /usr/share/heka/lua_decoders/

  • Run heka with the config file heka.toml.

hekad -config=heka.toml

  • You can change the config settings as per your convenience and enable additional outputs in Heka. For example, to feed the JSON messages to an Elasticsearch server, uncomment lines 68-73 in heka.toml (assuming the ES server is running on localhost:9200).

Goals:

  • To reduce complexity while integrating with log aggregation, visualization tools (eg. Kibana) and security tools (eg. MozDef).
  • Easier configuration and rule management.

###Project Wiki

Feedback

Open an issue https://github.com/mozilla/audit-go/issues to report a bug or request a new feature. Other comments and suggestions can be directly emailed to the authors.