Linux audit event multiplexor (audisp) plugin for transferring audit event information to Apache Kafka
These instructions will get you a copy of the project up and running on your linux box.
Before using audisp-kafka please check that required audit packages and Java8+ are installed with
yum list audit audit-libs audispd-plugins
echo "Checking Java version"
java -version
Build with
mvn install
Then run as root supplied install.sh or run commands below
AUDISP_HOME=/opt/a2/agents/audisp
mkdir -p $AUDISP_HOME/lib
cp target/lib/commons-io-2.6.jar $AUDISP_HOME/lib
cp target/lib/kafka-clients-1.1.0.jar $AUDISP_HOME/lib
cp target/lib/log4j-1.2.17.jar $AUDISP_HOME/lib
cp target/lib/lz4-java-1.4.jar $AUDISP_HOME/lib
cp target/lib/slf4j-api-1.7.25.jar $AUDISP_HOME/lib
cp target/lib/snappy-java-1.1.7.1.jar $AUDISP_HOME/lib
cp target/audisp-kafka-0.1.0.jar $AUDISP_HOME
cp audisp-kafka $AUDISP_HOME
cp audisp-kafka.conf $AUDISP_HOME
cp log4j.properties $AUDISP_HOME
chmod +x $AUDISP_HOME/audisp-kafka
Edit /etc/audisp/plugins.d/au-remote.conf, this files should looks like
active = yes
direction = out
path = /opt/a2/agents/audisp/audisp-kafka
type = always
format = string
Create Kafka's server topic for audit test with a single partition and only one replica:
bin/kafka-topics.sh --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic audisp-test
Edit audisp-kafka.conf, this files should looks like
a2.worker.count = 32
a2.kafka.servers = dwh.a2-solutions.eu:9092
a2.kafka.topic = audisp-test
a2.kafka.client.id = a2.audit.ai.linux
a2.worker.count - number of threads for transferring messaged to Kafka cluster
a2.kafka.servers - hostname/IP address and port of Kafka installation
a2.kafka.topic - value must match name of Kafka topic created on previous step
a2.kafka.client.id - use any valid string value for identifying this Kafka producer
Add some rules to /etc/audit/auditd.rules, for example to audit all command issued by root (i.e. EXECVE call) add
-a always,exit -F arch=b64 -S execve -F euid=0 -F key=root-commands
-a always,exit -F arch=b32 -S execve -F euid=0 -F key=root-commands
to audit other users activity add the same rules with different euid
For auditing file system activity you can add for directory /data/oracle/adump
-w /data/oracle/adump -k rdbms-audit-file-watch
For other examples please see man pages, unistd.h and other relevant information sources.
Restart auditd with
service auditd restart
See Linux audit log at Kafka's side with command line consumer
bin/kafka-console-consumer.sh --from-beginning --zookeeper localhost:2181 --topic audisp-test
Please size Kafka's settings for production environment
- Maven - Dependency Management
Kerberos/SSL support
- Aleksej Veremeev - Initial work - A2 Solutions
This project is licensed under the Apache License - see the LICENSE file for details