Documentation ¶
Overview ¶
Package auditd is a metricset that subscribes to the Linux Audit Framework to receive audit events from the the kernel.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Config ¶
type Config struct { ResolveIDs bool `config:"resolve_ids"` // Resolve UID/GIDs to names. FailureMode string `config:"failure_mode"` // Failure mode for the kernel (silent, log, panic). BacklogLimit uint32 `config:"backlog_limit"` // Max number of message to buffer in the auditd. RateLimit uint32 `config:"rate_limit"` // Rate limit in messages/sec of messages from auditd. RawMessage bool `config:"include_raw_message"` // Include the list of raw audit messages in the event. Warnings bool `config:"include_warnings"` // Include warnings in the event (for dev/debug purposes only). RulesBlob string `config:"audit_rules"` // Audit rules. One rule per line. SocketType string `config:"socket_type"` // Socket type to use with the kernel (unicast or multicast). // Tuning options (advanced, use with care) ReassemblerMaxInFlight uint32 `config:"reassembler.max_in_flight"` ReassemblerTimeout time.Duration `config:"reassembler.timeout"` StreamBufferQueueSize uint32 `config:"reassembler.queue_size"` }
Config defines the kernel metricset's possible configuration options.
type MetricSet ¶
type MetricSet struct { mb.BaseMetricSet // contains filtered or unexported fields }
MetricSet listens for audit messages from the Linux kernel using a netlink socket. It buffers the messages to ensure ordering and then streams the output. MetricSet implements the mb.PushMetricSet interface, and therefore does not rely on polling.
func (*MetricSet) Run ¶
func (ms *MetricSet) Run(reporter mb.PushReporterV2)
Run initializes the audit client and receives audit messages from the kernel until the reporter's done channel is closed.
Click to show internal directories.
Click to hide internal directories.