#Linux Audit Heka Plugin (GO)
The project has now been divided into two parts, the API to deal with linux kernel audit framework is now provided by libaudit-go (in current development) and the client (audit-go) which provides an example to leverage libaudit-go.
This project aims to deliver the same functionality as Linux Audit (auditd, audispd) + audisp-cef/json but in native Go as a plugin to Heka.
Currently the project listen for events from the kernel via the Netlink protocol and parse the messages and save them in
Currently the Heka plugin is provided externally. Heka reads input using Logstreamer from the file saved by
audit-go and uses a custom lua decoder (SandBoxed decoder in Heka) defined in
audit_decoder.lua which parses the audit messages and convert them to Heka Messages.
The messages are then converted to JSON format using ESJsonEncoder of Heka.
To run with heka:
Move the decoder to decoders directory of Heka.
cp audit_decoder.lua /usr/share/heka/lua_decoders/
Run heka with the config file
- You can change the config settings as per your convenience and enable additional outputs in Heka. For example, to feed the JSON messages to an Elasticsearch server, uncomment lines 68-73 in
heka.toml(assuming the ES server is running on
- To reduce complexity while integrating with log aggregation, visualization tools (eg. Kibana) and security tools (eg. MozDef).
- Easier configuration and rule management.
Open an issue https://github.com/mozilla/audit-go/issues to report a bug or request a new feature. Other comments and suggestions can be directly emailed to the authors.