-
Notifications
You must be signed in to change notification settings - Fork 162
/
01-go-audit.conf
47 lines (41 loc) · 1.34 KB
/
01-go-audit.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# /etc/rsyslog.d/01-go-audit.conf
# Give us higher resolution timestamps
template(
name="LongTagForwardFormat"
type="string"
string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%"
)
# rulesets make it easier to target this output
ruleset(
name="go-audit-output"
queue.discardmark="1000"
queue.discardseverity="0"
queue.size="1000"
queue.type="LinkedList"
){
# send everything to streamstash via relp
action(
type="omrelp"
name="streamstash-relp"
target="127.0.0.1"
port="5514"
template="LongTagForwardFormat"
action.resumeRetryCount="-1"
windowSize="1000"
queue.discardmark="50000"
queue.discardseverity="0"
queue.size="50000"
queue.type="LinkedList"
)
}
# Expose a sock stream socket for log lines > 128kb
input(type="imptcp" path="/var/run/go-audit.sock" unlink="on" name="go-audit-input" ruleset="go-audit-output")
# Capture audit system log lines and stop them from getting to disk, no further processing will happen to these events
if $programname == "go-audit" then {
call go-audit-output
stop
}
# Tee off interesting auth facility log lines, matching lines will continue on to other outputs
if $programname == "sshd" or $programname == "sudo" then {
call go-audit-output
}