Linux Audit Heka Plugin (GO)

Note:

The project has now been divided into two parts, the API to deal with linux kernel audit framework is now provided by libaudit-go (in current development) and the client (audit-go) which provides an example to leverage libaudit-go.

---

This project aims to deliver the same functionality as Linux Audit (auditd, audispd) + audisp-cef/json but in native Go as a plugin to Heka.

Currently the project listen for events from the kernel via the Netlink protocol and parse the messages and save them in /tmp/log.

Currently the Heka plugin is provided externally. Heka reads input using Logstreamer from the file saved by audit-go and uses a custom lua decoder (SandBoxed decoder in Heka) defined in audit_decoder.lua which parses the audit messages and convert them to Heka Messages.

The messages are then converted to JSON format using ESJsonEncoder of Heka.

To run with heka:

• Move the decoder to decoders directory of Heka.

  cp audit_decoder.lua /usr/share/heka/lua_decoders/

• Run heka with the config file heka.toml.

hekad -config=heka.toml

• You can change the config settings as per your convenience and enable additional outputs in Heka. For example, to feed the JSON messages to an Elasticsearch server, uncomment lines 68-73 in heka.toml (assuming the ES server is running on localhost:9200).

Goals:

• To reduce complexity while integrating with log aggregation, visualization tools (eg. Kibana) and security tools (eg. MozDef).
• Easier configuration and rule management.

Project Wiki

Feedback

Open an issue https://github.com/mozilla/audit-go/issues to report a bug or request a new feature. Other comments and suggestions can be directly emailed to the authors.