Documentation
¶
Overview ¶
Package kernel is a metricset that subscribes to the Linux Audit Framework to receive audit events from the the kernel.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Config ¶
type Config struct {
ResolveIDs bool `config:"kernel.resolve_ids"` // Resolve UID/GIDs to names.
FailureMode string `config:"kernel.failure_mode"` // Failure mode for the kernel (silent, log, panic).
BacklogLimit uint32 `config:"kernel.backlog_limit"` // Max number of message to buffer in the kernel.
RateLimit uint32 `config:"kernel.rate_limit"` // Rate limit in messages/sec of messages from kernel.
RawMessage bool `config:"kernel.include_raw_message"` // Include the list of raw audit messages in the event.
Warnings bool `config:"kernel.include_warnings"` // Include warnings in the event (for dev/debug purposes only).
RulesBlob string `config:"kernel.audit_rules"` // Audit rules. One rule per line.
// Tuning options (advanced, use with care)
ReassemblerMaxInFlight uint32 `config:"kernel.reassembler.max_in_flight"`
ReassemblerTimeout time.Duration `config:"kernel.reassembler.timeout"`
StreamBufferQueueSize uint32 `config:"kernel.reassembler.queue_size"`
}
Config defines the kernel metricset's possible configuration options.
type MetricSet ¶
type MetricSet struct {
mb.BaseMetricSet
// contains filtered or unexported fields
}
MetricSet listens for audit messages from the Linux kernel using a netlink socket. It buffers the messages to ensure ordering and then streams the output. MetricSet implements the mb.PushMetricSet interface, and therefore does not rely on polling.
func (*MetricSet) Run ¶
func (ms *MetricSet) Run(reporter mb.PushReporter)
Run initializes the audit client and receives audit messages from the kernel until the reporter's done channel is closed.
Source Files
¶
- audit_linux.go
- config.go
- doc.go
Click to show internal directories.
Click to hide internal directories.