Comments (6)
nbrownus
commented on September 7, 2024
1
You should be able to use it now if you indent the regex line at the very end of your config. The bug I will fix this week will just remove the panic and provide an actionable error message for an incomplete filter rule.
from go-audit.
nbrownus
commented on September 7, 2024
Looks like there may be a problem with your config teasing out a bug in the filter parsing. Can you add your config here for me to look over?
Another thing, likely unrelated, govendor is used for dependencies in go-audit instead of go get.
from go-audit.
joelchen
commented on September 7, 2024
The go get will automatically get govendor for dependencies and build the binary for go-audit is not it? Also, I used make which forced me to install govendor beforehand in the second attempt.
As I said in the steps, I followed https://github.com/slackhq/go-audit/blob/master/go-audit.yaml.example for config. Here is config for go-audit.yml for stdout output (stdout is also failing with same error above as with syslog or file output):
# Configure socket buffers, leave unset to use the system defaults
# Values will be doubled by the kernel
# It is recommended you do not set any of these values unless you really need to
socket_buffer:
# Default is net.core.rmem_default (/proc/sys/net/core/rmem_default)
# Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max)
receive: 16384
events:
# Minimum event type to capture, default 1300
min: 1300
# Maximum event type to capture, default 1399
max: 1399
# Configure message sequence tracking
message_tracking:
# Track messages and identify if we missed any, default true
enabled: true
# Log out of orderness, these messages typically signify an overloading system, default false
log_out_of_order: false
# Maximum out of orderness before a missed sequence is presumed dropped, default 500
max_out_of_order: 500
# Configure where to output audit events
# Only 1 output can be active at a given time
output:
# Writes to stdout
# All program status logging will be moved to stderr
stdout:
enabled: true
# Total number of attempts to write a line before considering giving up
# If a write fails go-audit will sleep for 1 second before retrying
# Default is 3
attempts: 2
# Writes logs to syslog
syslog:
enabled: false
attempts: 5
# Configure the type of socket this should be, default is unixgram
# This maps to `network` in golangs net.Dial: https://golang.org/pkg/net/#Dial
network: unixgram
# Set the remote address to connect to, this can be a path or an ip address
# This maps to `address` in golangs net.Dial: https://golang.org/pkg/net/#Dial
address: /dev/log
# Sets the facility and severity for all events. See the table below for help
# The default is 132 which maps to local0 | warn
priority: 129 # local0 | emerg
# Typically the name of the program generating the message. The PID is of the process is appended for you: [1233]
# Default value is "go-audit"
tag: "go-audit"
# Appends logs to a file
file:
enabled: false
attempts: 2
# Path of the file to write lines to
# The actual file will be created if it is missing but make sure the parent directory exists
path: /var/log/go-audit/go-audit.log
# Octal file mode for the log file, make sure to always have a leading 0
mode: 0600
# User and group that should own the log file
user: root
group: root
# Configure logging, only stdout and stderr are used.
log:
# Gives you a bit of control over log line prefixes. Default is 0 - nothing.
# To get the `filename:lineno` you would set this to 16
#
# Ldate = 1 // the date in the local time zone: 2009/01/23
# Ltime = 2 // the time in the local time zone: 01:23:23
# Lmicroseconds = 4 // microsecond resolution: 01:23:23.123123. assumes Ltime.
# Llongfile = 8 // full file name and line number: /a/b/c/d.go:23
# Lshortfile = 16 // final file name element and line number: d.go:23. overrides Llongfile
# LUTC = 32 // if Ldate or Ltime is set, use UTC rather than the local time zone
#
# See also: https://golang.org/pkg/log/#pkg-constants
flags: 0
rules:
# Watch all 64 bit program executions
- -a exit,always -F arch=b64 -S execve
# Watch all 32 bit program executions
- -a exit,always -F arch=b32 -S execve
# Enable kernel auditing (required if not done via the "audit" kernel boot parameter)
# You can also use this to lock the rules. Locking requires a reboot to modify the ruleset.
# This should be the last rule in the chain.
- -e 1
# If kaudit filtering isn't powerful enough you can use the following filter mechanism
filters:
# Each filter consists of exactly 3 parts
- syscall: 49 # The syscall id of the message group (a single log line from go-audit), to test against the regex
message_type: 1306 # The message type identifier containing the data to test against the regex
regex: saddr=(10..|0A..) # The regex to test against the message specific message types data
from go-audit.
nbrownus
commented on September 7, 2024
Looks like the problem is the very last line, it should be indented 4 spaces. As for the panic, I will fix that next week.
from go-audit.
joelchen
commented on September 7, 2024
Thanks @nbrownus. Can it be fix earlier? I would like to use it soon.
from go-audit.
nbrownus
commented on September 7, 2024
With that merge you should get a much more helpful error message.
from go-audit.
Related Issues (20)
- How to filter to command run in local0 to 7
- Reverse Function for Filters
- Including node hostname/ip info in log HOT 2
- Failed to open syslog writer on LXC HOT 1
- Pre-compiled version? HOT 3
- Replacing auditd with go-audit HOT 1
- wrong app name in syslogs HOT 1
- extras.go does not support disabled container auditing HOT 3
- LXD support
- Migrate away from govendor to go modules
- Migrate from "syscall" to "golang.org/x/sys/unix"
- Consider using code generation (ex: easyjson) for JSON models
- no tags/releases HOT 3
- go-audit relies on github.com/capsule8/capsule8, which was deleted or made private HOT 1
- "type":1305 AUDIT_CONFIG_CHANGE log noise HOT 2
- Do we need to implement logrotate for the go-audit.log file?
- Publish debian packages
- Process dies and go-audit stops logging HOT 2
- Enhance request for ECS compatible go-audit output
- When go-audit and linux auditd are started at the same time, go-audit cannot obtain any data. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-audit.