Home

Awesome

#Linux Audit Heka Plugin (GO)

Note:

The project has now been divided into two parts, the API to deal with linux kernel audit framework is now provided by libaudit-go (in current development) and the client (audit-go) which provides an example to leverage libaudit-go.


This project aims to deliver the same functionality as Linux Audit (auditd, audispd) + audisp-cef/json but in native Go as a plugin to Heka.

Currently the project listen for events from the kernel via the Netlink protocol and parse the messages and save them in /tmp/log.

Currently the Heka plugin is provided externally. Heka reads input using Logstreamer from the file saved by audit-go and uses a custom lua decoder (SandBoxed decoder in Heka) defined in audit_decoder.lua which parses the audit messages and convert them to Heka Messages.

The messages are then converted to JSON format using ESJsonEncoder of Heka.

To run with heka:

hekad -config=heka.toml

Goals:

###Project Wiki

Feedback

Open an issue https://github.com/mozilla/audit-go/issues to report a bug or request a new feature. Other comments and suggestions can be directly emailed to the authors.