Skip to content
Linux Audit Plugin for heka written using netlink Protocol in golang and Lua
Go Python Lua
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
libaudit-go @ 20ea277

#Linux Audit Heka Plugin (GO)


The project has now been divided into two parts, the API to deal with linux kernel audit framework is now provided by libaudit-go (in current development) and the client (audit-go) which provides an example to leverage libaudit-go.

This project aims to deliver the same functionality as Linux Audit (auditd, audispd) + audisp-cef/json but in native Go as a plugin to Heka.

Currently the project listen for events from the kernel via the Netlink protocol and parse the messages and save them in /tmp/log.

Currently the Heka plugin is provided externally. Heka reads input using Logstreamer from the file saved by audit-go and uses a custom lua decoder (SandBoxed decoder in Heka) defined in audit_decoder.lua which parses the audit messages and convert them to Heka Messages.

The messages are then converted to JSON format using ESJsonEncoder of Heka.

To run with heka:

  • Move the decoder to decoders directory of Heka.

    cp audit_decoder.lua /usr/share/heka/lua_decoders/

  • Run heka with the config file heka.toml.

hekad -config=heka.toml

  • You can change the config settings as per your convenience and enable additional outputs in Heka. For example, to feed the JSON messages to an Elasticsearch server, uncomment lines 68-73 in heka.toml (assuming the ES server is running on localhost:9200).


  • To reduce complexity while integrating with log aggregation, visualization tools (eg. Kibana) and security tools (eg. MozDef).
  • Easier configuration and rule management.

###Project Wiki


Open an issue to report a bug or request a new feature. Other comments and suggestions can be directly emailed to the authors.

You can’t perform that action at this time.