audisp-json

INACTIVE

Перейти к файлу

Guillaume Destuynder 9f302ea38e Implement sending of messages via libcurl Uses a ring buffer (msg_list) to fill in messages at a max of 512 messages currently. Then uses select to run curl_multi functions.		2014-04-29 16:20:10 -07:00
Makefile	Implement sending of messages via libcurl	2014-04-29 16:20:10 -07:00
README.rst	Implement sending of messages via libcurl	2014-04-29 16:20:10 -07:00
au-json.conf	Quick conversion to json - doesn't actually work or anything	2014-04-02 16:40:31 -07:00
audisp-json.c	Implement sending of messages via libcurl	2014-04-29 16:20:10 -07:00
audisp-json.conf	Implement sending of messages via libcurl	2014-04-29 16:20:10 -07:00
json-config.c	Implement sending of messages via libcurl	2014-04-29 16:20:10 -07:00
json-config.h	Implement sending of messages via libcurl	2014-04-29 16:20:10 -07:00
messages_format.rst	Modifying json msg format	2014-04-02 16:50:34 -07:00

README.rst

==========
Audisp-json
==========

.. contents:: Table of contents

This program is a plugin for Linux Audit user space programs available at <http://people.redhat.com/sgrubb/audit/>.
It uses the audisp multiplexer.

Audisp-json correlates messages coming from the kernel's audit (and through audisp) into a single JSON message that is
sent directly to a log server (it doesn't use syslog).
The JSON format used is MozDef message format.

Regular audit log messages and audisp-json error, info messages still use syslog.

Building
--------

Required dependencies:
- Audit (2.0+)
- libtool
- libcurl

For package building:
- FPM
- rpmbuild (rpm)

Build targets:
=============
They're self explanatory.

- make
- make rpm
- make deb
- make install
- make uninstall
- make clean

Deal with auditd quirks, or how to make auditd useable in prod
--------------------------------------------------------------

We're assuming you're logging auditd stuff to LOCAL5 here. Replace <SYSLOG_SERVER_IP_HERE> by your syslogger.
Due to the nature/sensitivity of the logs, using TLS as transport is highly recommended.

These examples filter out messages that may kill your log if auditd goes down for any reason, or general
messages which you may want to forward but to keep in their own faciilty, or simply not log to disk, for
useability reasons.

Example for rsyslog
===================

 ::

    #Drop native audit messages from the kernel (may happen is auditd dies, and may kill the system otherwise)
    :msg, regex, "type=[0-9]* audit" ~
    #Sent audit rate limit errors directly to the remote syslog server
    :msg, contains, "rate limit exceeded" @<SYSLOG_SERVER_IP_HERE>
    :msg, contains, "audit_lost=" @<SYSLOG_SERVER_IP_HERE>
    #Drop audit sid msg (work-around until RH fixes the kernel - should be fixed in RHEL7 and recent RHEL6)
    :msg, contains, "error converting sid to string" ~

    #Don't log auditd messages to disk, we're logging way too much stuff for that
    *.info;local5.none			/var/log/messages
    #Log remotely instead
    local5.*					@<SYSLOG_SERVER_IP_HERE>

Example for syslog-ng
=====================

 ::

    source s_syslog { unix-dgram("/dev/log"); };
    filter f_auditd { message("type=[0-9]* audit") and message("rate limit exceeded") and message("audit_lost=") and facility(local5); };
    destination d_logserver { udp("<SYSLOG_SERVER_IP_HERE>" port(514)); };
    log{ source(s_syslog); filter(f_auditd); destination(d_logserver); };
    # If you want to "not log" auditd messages, negate the same filter to your other log items

Message handling
----------------

Syscalls are interpreted by audisp-json and transformed into a MozDef JSON message.
This means, for example, all execve() and related calls will be aggregated into a message of type EXECVE.

.. note: MozDef messages are not sent to syslog. They're sent to MozDef directly.

Supported messages are listed in the document messages_format.rst