Hello, I have recently checked in to the audit tree 2 experimental plugins. You can enable them by passing --enable-experimental to configure. One of the new plugins is aimed at providing audit metrics to a statsd server. The idea being that you can use this to relay the metrics to influxdb, prometheus or some other collector. Then you can use Grafana to visualize and alert.
Currently, it supports the following metrics: kernel.audit.lost kernel.audit.backlog auditd.free_space auditd.plugin_current_depth auditd.plugin_max_depth audit_events.total_count audit_events.total_failed audit_events.avc_count audit_events.fanotify_count audit_events.logins_failed audit_events.logins_success audit_events.anomaly_count audit_events.response_count I'd be interested in hearing if this would be useful. And if these are the right metrics that people are interested in. Should something else be measured? Should an example Grafana dashboard be included? Let me know what you think. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
