Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
audisp-json.c ensure serials never get duplicated for parses that wont reconstruct Apr 13, 2019
example_audit.rules Correct the rsyslog.d path Mar 11, 2019
json-config.c add pre/post pending options for all messages Apr 12, 2019
json-config.h add pre/post pending options for all messages Apr 12, 2019


This program is a plugin for Linux Audit user space programs available at It uses the audisp multiplexer.

Audisp-json correlates messages coming from the kernel's audit (and through audisp) into a single JSON message that is sent directly to a log server (it doesn't use syslog). The JSON format used is MozDef message format.

Regular audit log messages and audisp-json error, info messages still use syslog.

Due to the ring buffer filling up when the front-end HTTP server does not process fast enough, the program may slowly grow in memory for a while on busy systems. It'll stop at 512 messages (hard-coded) buffered.

  +-----------+            +------------+
  |           |   Netlink  |            |
  |  kernel   +------------>   auditd   |
  |           |            |            |
  +-----------+            +------+-----+
                                  |                +------------+             +--------------+
                           pipe   |                |            |   HTTP(S)   |              |
                                  |         +------> audisp-json+------------>+  MozDef JSON |
                           +------v-----+   |      |            |             |              |
                           |            |   |      +------------+             +--------------+
                           | audispd    +---+
                           |            |  pipe
                           +---------+--+          +------------+
                                     |             |            |
                                     +-------------> Other      |
                                           pipe    | plugins    |


Required dependencies:

  • Audit (2.0+)
  • libtool
  • libcurl

For package building:

  • FPM
  • rpmbuild (rpm)

Build targets:

They're self explanatory.

  • make
  • make rpm
  • make deb
  • make install
  • make uninstall
  • make clean
  • make rpm-deps # builds deps for amazonlinux, centos, etc.

Note that packaging targets (like make rpm) will package an example rule file, but not use it by default. You can move it where needed manually.

Example to build for CentOS:

docker run --rm -ti -v $(pwd):/build centos:7 /bin/bash -c "yum install -y make && cd /build && make rpm-deps && make

Or for AmazonLinux:

docker run --rm -ti -v $(pwd):/build amazonlinux /bin/bash -c "yum install -y make && cd /build && make rpm-deps && make

Or for Ubuntu:

docker run --rm -ti -v $(pwd):/build ubuntu:14.04 /bin/bash -c "apt-get update && apt-get -y install build-essential && cd /build && make deb-deps && make deb"

Mozilla build targets

We previously used audisp-cef, so we would want to mark that package as obsolete.

  • make rpm FPMOPTS="--replaces audisp-cef"
  • make deb FPMOPTS="--replaces audisp-cef"

Deal with auditd quirks, or how to make auditd useable in prod

These examples filter out messages that may clutter your log or/and DOS yourself (high I/O) if auditd goes down for any reason.

Example for rsyslog

    #Drop native audit messages from the kernel (may happen is auditd dies, and may kill the system otherwise)
    :msg, regex, "type=[0-9]* audit" ~
    #Drop audit sid msg (work-around until RH fixes the kernel - should be fixed in RHEL7 and recent RHEL6)
    :msg, contains, "error converting sid to string" ~

Example for syslog-ng

    source s_syslog { unix-dgram("/dev/log"); };
    filter f_not_auditd { not message("type=[0-9]* audit") or not message("error converting sid to string"); };
    log{ source(s_syslog);f ilter(f_not_auditd); destination(d_logserver); };

Misc other things to do

  • It is suggested to bump the audispd queue to adjust for extremely busy systems, for ex. q_depth=512.
  • You will also probably need to bump the kernel-side buffer and change the rate limit in audit.rules, for ex. -b 16384 -r 500.

Message handling

Syscalls are interpreted by audisp-json and transformed into a MozDef JSON message. This means, for example, all execve() and related calls will be aggregated into a message of type EXECVE.

NOTE: MozDef messages are not sent to syslog. They're sent to MozDef directly.

Supported messages are listed in the document

Configuration file

The audisp-json.conf file has a few options:

  • mozdef_url Any server supporting JSON MozDef messages
  • ssl_verify Yes or no. Only use no for testing purposes.
  • curl_verbose Enables curl verbose mode for debugging. start audisp-json in the foreground to see messages.
  • curl_logfile Path to a file to log curl debug messages to. Most useful with curl_verbose also set. Otherwise, message go to stderr.
  • curl_cainfo Specify the path to a single CA certificate, if needed. When not specified, system's CA bundle is used.
  • file_log Specify a file path to log the json data to. This disables mozdef logging.
  • prepend_msg Specific a string to prepend all messages with. For example, for Fluentd you might want prepend_msg={"message":.
  • postpend_msg Similar to prepend_msg but for postpending the messages. To complement the previous example you would use postpend_msg=}.

Static compilation tips

If you need to compile in statically compiled libraries, here are the variables to change from the makefile, using libcurl and openssl statically compiled as an example.

    @@ -48,9 +48,11 @@ else ifeq ($(DEBUG),1)
    CFLAGS  := -fPIE -DPIE -g -O2 -D_REENTRANT -D_GNU_SOURCE -fstack-protector-all -D_FORTIFY_SOURCE=2
    +CFLAGS := -g -O2 -D_REENTRANT -D_GNU_SOURCE -fstack-protector-all -D_FORTIFY_SOURCE=2

    -LDFLAGS        := -pie -Wl,-z,relro
    -LIBS   := -lauparse -laudit `curl-config --libs`
    +#LDFLAGS       := -pie -Wl,-z,relro -static
    +LDFLAGS := -static -ldl -lz -lrt
    +LIBS   := -lauparse -laudit $(pkg-config --static --libs libssl libcurl)
    ./path-to-libcurl/lib/.libs/libcurl.a ./path-to-openssl/libssl.a
    ./path-to-openssl/libcrypto.a -lpthread

    GCC            := gcc

To compile libcurl in this example:

./configure --disable-shared --enable-static --prefix=/tmp/curl --disable-ldap --disable-sspi --without-librtmp --disable-ftp --disable-file --disable-dict --disable-telnet --disable-tftp --disable-
tsp --disable-pop3 --disable-imap --disable-smtp --disable-gopher --disable-smb --without-libidn --with-ssl --without-libssh2 --without-nghttp2 --without-libpsl

NOTE: Any library you enable will need to be available as a static library as well. NOTE2: New libraries may be needed when using newer versions of libcurl and openssl so your mileage may vary.

You can’t perform that action at this time.