Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use netlink multicast group to receive audit logs #4850

Closed
andrewkroh opened this issue Aug 8, 2017 · 0 comments
Closed

Use netlink multicast group to receive audit logs #4850

andrewkroh opened this issue Aug 8, 2017 · 0 comments
Assignees
@andrewkroh
Labels
Auditbeat enhancement v6.0.0-rc1

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Aug 8, 2017
edited
Loading

We can make Auditbeat more user friendly by enabling it to receive audit messages as a multicast subscriber rather than the sole unicast client of the audit framework. This would allow Auditbeat to become a passive listener to audit messages and it could run alongside auditd.

This would be good for people getting started that already have auditd deployed and rules configured. It would give them a quick way to explore their audit data through Auditbeat + ES + Kibana. Later they can migrate their audit rules over to the auditbeat config file and disable auditd (because you probably don't want to waste CPU by running to audit clients).

If multicast is supported by the kernel (3.16+) and no rules are defined then Auditbeat can automatically use multicast. This will make it work without having to consider whether or not auditd is running. I will add a config option to explicitly configure the connection_type to use (unicast or multicast).

audit-multicast-decision-chart

This relates to elastic/go-libaudit#9.
@andrewkroh andrewkroh self-assigned this Aug 8, 2017
@tsg tsg removed the v6.0.0-beta2 label Sep 1, 2017
@andrewkroh andrewkroh mentioned this issue Sep 1, 2017
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Sep 7, 2017
@andrewkroh
Support receiving events from audit multicast group
5563acd 
Update to go-libaudit v0.0.6

Closes elastic#4850
exekias pushed a commit that referenced this issue Sep 8, 2017
@andrewkroh @exekias
Support receiving events from audit multicast group (#5081)
c76f14f 
Update to go-libaudit v0.0.6

Closes #4850
@andrewkroh andrewkroh mentioned this issue Sep 8, 2017
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Sep 8, 2017
@andrewkroh
Support receiving events from audit multicast group (elastic#5081)
a17e7fa 
Update to go-libaudit v0.0.6

Closes elastic#4850
(cherry picked from commit c76f14f)
ruflin pushed a commit that referenced this issue Sep 12, 2017
@andrewkroh @ruflin
Support receiving events from audit multicast group (#5081) (#5138)
049fb55 
Update to go-libaudit v0.0.6

Closes #4850
(cherry picked from commit c76f14f)
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@andrewkroh @ruflin
Support receiving events from audit multicast group (elastic#5081) (e…
dad3276 
…lastic#5138)

Update to go-libaudit v0.0.6

Closes elastic#4850
(cherry picked from commit 8e321f7)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewkroh andrewkroh

Labels
Auditbeat enhancement v6.0.0-rc1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsg @andrewkroh