From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04D61C433DB for ; Tue, 9 Feb 2021 01:44:35 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6EDC564E42 for ; Tue, 9 Feb 2021 01:44:34 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6EDC564E42 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1612835073; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=m+zpOXQLHxZ85kerQAwEircFIo8TWM0761bW2Yoo/ZU=; b=CnS0CTmmNEjSwO6ShdXAcyvOl6qKapcB7Wmg33SvRWGxX0gafVDOK+qVVdaT7iB4TY73XP bMU+TmehNkWO7qIycsO7I9OYF5yk4sO4CR//geQPPJoFMPpq4SDnXLzi0xrs5LAf6TpndE 1ICyRTUTxLuj+7lcS2+ZqhrCJO1ppHE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-4-esqn_m99Me2CsiyA4e-0Yg-1; Mon, 08 Feb 2021 20:44:31 -0500 X-MC-Unique: esqn_m99Me2CsiyA4e-0Yg-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0963A427CC; Tue, 9 Feb 2021 01:44:28 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 50F9A10013D7; Tue, 9 Feb 2021 01:44:26 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 094DB4E58D; Tue, 9 Feb 2021 01:44:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1191i3tp003126 for ; Mon, 8 Feb 2021 20:44:03 -0500 Received: by smtp.corp.redhat.com (Postfix) id 73AB160C05; Tue, 9 Feb 2021 01:44:03 +0000 (UTC) Received: from x2.localnet (ovpn-113-33.rdu2.redhat.com [10.10.113.33]) by smtp.corp.redhat.com (Postfix) with ESMTP id 40F6A60C04 for ; Tue, 9 Feb 2021 01:44:00 +0000 (UTC) From: Steve Grubb To: linux-audit@redhat.com Subject: Auditd statsd integration Date: Mon, 08 Feb 2021 20:43:59 -0500 Message-ID: <12872550.uLZWGnKmhe@x2> Organization: Red Hat MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello, I have recently checked in to the audit tree 2 experimental plugins. You can enable them by passing --enable-experimental to configure. One of the new plugins is aimed at providing audit metrics to a statsd server. The idea being that you can use this to relay the metrics to influxdb, prometheus or some other collector. Then you can use Grafana to visualize and alert. Currently, it supports the following metrics: kernel.audit.lost kernel.audit.backlog auditd.free_space auditd.plugin_current_depth auditd.plugin_max_depth audit_events.total_count audit_events.total_failed audit_events.avc_count audit_events.fanotify_count audit_events.logins_failed audit_events.logins_success audit_events.anomaly_count audit_events.response_count I'd be interested in hearing if this would be useful. And if these are the right metrics that people are interested in. Should something else be measured? Should an example Grafana dashboard be included? Let me know what you think. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit