#Linux Audit Heka Plugin (GO)
The project has now been divided into two parts, the API to deal with linux kernel audit framework is now provided by libaudit-go (in current development) and the client (audit-go) which provides an example to leverage libaudit-go.
This project aims to deliver the same functionality as Linux Audit (auditd, audispd) + audisp-cef/json but in native Go as a plugin to Heka.
Currently the project listen for events from the kernel via the Netlink protocol and parse the messages and save them in /tmp/log.
Currently the Heka plugin is provided externally. Heka reads input using Logstreamer from the file saved by audit-go and uses a custom lua decoder (SandBoxed decoder in Heka) defined in audit_decoder.lua which parses the audit messages and convert them to Heka Messages.
The messages are then converted to JSON format using ESJsonEncoder of Heka.
To run with heka:
-
Move the decoder to decoders directory of Heka.
cp audit_decoder.lua /usr/share/heka/lua_decoders/ -
Run heka with the config file
heka.toml.
hekad -config=heka.toml
- You can change the config settings as per your convenience and enable additional outputs in Heka. For example, to feed the JSON messages to an Elasticsearch server, uncomment lines 68-73 in
heka.toml(assuming the ES server is running onlocalhost:9200).
Goals:
- To reduce complexity while integrating with log aggregation, visualization tools (eg. Kibana) and security tools (eg. MozDef).
- Easier configuration and rule management.
###Project Wiki
Open an issue https://github.com/mozilla/audit-go/issues to report a bug or request a new feature. Other comments and suggestions can be directly emailed to the authors.