Documentation
¶
Overview ¶
Package audit provides a background monitor that periodically scans audit records for anomaly patterns and sends notifications when thresholds are exceeded.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Anomaly ¶
Anomaly tracks a detected anomaly pattern.
func AnalyzeRecords ¶
func AnalyzeRecords(cfg MonitorConfig, records []*types.AuditRecord) []Anomaly
AnalyzeRecords examines audit records and returns detected anomalies based on the provided configuration thresholds. It is used by both the background Monitor and the one-shot CLI.
type Monitor ¶
type Monitor struct {
// contains filtered or unexported fields
}
Monitor is a background goroutine that periodically queries audit records for anomaly patterns and sends alerts via NotifyService.
func NewMonitor ¶
func NewMonitor( auditRepo storage.AuditRepository, notifyService *notify.NotifyService, channel *notify.Channel, cfg MonitorConfig, log *slog.Logger, ) (*Monitor, error)
NewMonitor creates a new audit monitor. Call Start() to begin scanning.
type MonitorConfig ¶
type MonitorConfig struct {
Enabled bool `yaml:"enabled"`
Interval time.Duration `yaml:"interval"` // scan interval (default: 1h)
LookbackHours int `yaml:"lookback_hours"` // hours to look back per scan (default: 1)
// Thresholds
AuthFailureThreshold int `yaml:"auth_failure_threshold"` // per source per hour (default: 5)
BlocklistRejectThreshold int `yaml:"blocklist_reject_threshold"` // per key per hour (default: 3)
HighFreqThreshold int `yaml:"high_freq_threshold"` // requests per hour (default: 100)
}
MonitorConfig configures the background audit monitor.
Source Files
Click to show internal directories.
Click to hide internal directories.