{"id":37133423,"url":"https://github.com/cloudlinux/go-libaudit","last_synced_at":"2026-01-14T15:34:35.868Z","repository":{"id":39002716,"uuid":"353704369","full_name":"cloudlinux/go-libaudit","owner":"cloudlinux","description":"go-libaudit is a library for communicating with the Linux Audit Framework.","archived":false,"fork":true,"pushed_at":"2023-12-20T08:48:12.000Z","size":386,"stargazers_count":0,"open_issues_count":0,"forks_count":5,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-06-21T00:49:16.494Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://www.elastic.co/products/beats/auditbeat","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"elastic/go-libaudit","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudlinux.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":"audit.go","citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-04-01T13:10:37.000Z","updated_at":"2023-12-20T08:48:17.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/cloudlinux/go-libaudit","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/cloudlinux/go-libaudit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudlinux%2Fgo-libaudit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudlinux%2Fgo-libaudit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudlinux%2Fgo-libaudit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudlinux%2Fgo-libaudit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudlinux","download_url":"https://codeload.github.com/cloudlinux/go-libaudit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudlinux%2Fgo-libaudit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28424374,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T13:30:50.153Z","status":"ssl_error","status_checked_at":"2026-01-14T13:29:08.907Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-14T15:34:35.178Z","updated_at":"2026-01-14T15:34:35.856Z","avatar_url":"https://github.com/cloudlinux.png","language":"Go","readme":"# go-libaudit\n\n[![Build Status](https://beats-ci.elastic.co/job/Library/job/go-libaudit-mbp/job/master/badge/icon)](https://beats-ci.elastic.co/job/Library/job/go-libaudit-mbp/job/master/)\n[![Go Documentation](http://img.shields.io/badge/go-documentation-blue.svg?style=flat-square)][godocs]\n\n[travis]: http://travis-ci.org/elastic/go-libaudit\n[godocs]: http://godoc.org/github.com/elastic/go-libaudit\n\ngo-libaudit is a library for Go (golang) for communicating with the Linux Audit\nFramework. The Linux Audit Framework provides system call auditing in the kernel\nand logs the events to user-space using netlink sockets. This library\nfacilitates user-space applications that want to receive audit events.\n\n## Installation and Usage\n\nPackage documentation can be found on [GoDoc][godocs].\n\nInstallation can be done with a normal `go get`:\n\n```\n$ go get github.com/elastic/go-libaudit\n```\n\ngo-libaudit has two example applications that you can use to try the library.\nThe first is _audit_ which registers to receive audit events from the kernel\nand outputs the data it receives to stdout. The system's `auditd` process\nshould be stopped first.\n\n```\n$ go install github.com/elastic/go-libaudit/cmd/audit\n$ sudo $GOPATH/bin/audit -d\n```\n\nThe second is _auparse_ which parses the log files from the Linux auditd\nprocess or the output of the _audit_ example command. It combines related log\nmessages that are a part of the same event.\n\n```\n$ go install github.com/elastic/go-libaudit/cmd/auparse\n$ sudo cat /var/log/audit/audit.log | auparse\n---\ntype=CRED_ACQ msg=audit(1481077334.302:545): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=success'\n---\ntype=USER_START msg=audit(1481077334.303:546): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=success'\n---\ntype=SYSCALL msg=audit(1481077334.304:547): arch=c000003e syscall=59 success=yes exit=0 a0=7f683953a5d8 a1=7f683953fd38 a2=7f6839543a90 a3=6 items=2 ppid=1444 pid=1445 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm=\"su\" exe=\"/usr/bin/su\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)\ntype=EXECVE msg=audit(1481077334.304:547): argc=1 a0=\"su\"\ntype=CWD msg=audit(1481077334.304:547):  cwd=\"/home/andrew_kroh\"\ntype=PATH msg=audit(1481077334.304:547): item=0 name=\"/bin/su\" inode=5026 dev=08:01 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:su_exec_t:s0 objtype=NORMAL\ntype=PATH msg=audit(1481077334.304:547): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=16778495 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL\n```\n\nIt supports outputting the messages as plain text (default), JSON, or YAML by\nusing `-format=yaml` for example.\n\n```\n$ sudo cat /var/log/audit/audit.log | auparse -format=json\n---\n{\"@timestamp\":\"2016-12-07 02:22:14.302 +0000 UTC\",\"acct\":\"root\",\"auid\":\"1000\",\"exe\":\"/usr/bin/sudo\",\"grantors\":\"pam_env,pam_unix\",\"op\":\"PAM:setcred\",\"pid\":\"1444\",\"raw_msg\":\"audit(1481077334.302:545): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct=\\\"root\\\" exe=\\\"/usr/bin/sudo\\\" hostname=? addr=? terminal=/dev/pts/1 res=success'\",\"record_type\":\"CRED_ACQ\",\"result\":\"success\",\"sequence\":\"545\",\"ses\":\"4\",\"subj_category\":\"c0.c1023\",\"subj_domain\":\"unconfined_t\",\"subj_level\":\"s0-s0\",\"subj_role\":\"unconfined_r\",\"subj_user\":\"unconfined_u\",\"terminal\":\"/dev/pts/1\",\"uid\":\"0\"}\n---\n{\"@timestamp\":\"2016-12-07 02:22:14.303 +0000 UTC\",\"acct\":\"root\",\"auid\":\"1000\",\"exe\":\"/usr/bin/sudo\",\"grantors\":\"pam_keyinit,pam_limits\",\"op\":\"PAM:session_open\",\"pid\":\"1444\",\"raw_msg\":\"audit(1481077334.303:546): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct=\\\"root\\\" exe=\\\"/usr/bin/sudo\\\" hostname=? addr=? terminal=/dev/pts/1 res=success'\",\"record_type\":\"USER_START\",\"result\":\"success\",\"sequence\":\"546\",\"ses\":\"4\",\"subj_category\":\"c0.c1023\",\"subj_domain\":\"unconfined_t\",\"subj_level\":\"s0-s0\",\"subj_role\":\"unconfined_r\",\"subj_user\":\"unconfined_u\",\"terminal\":\"/dev/pts/1\",\"uid\":\"0\"}\n---\n{\"@timestamp\":\"2016-12-07 02:22:14.304 +0000 UTC\",\"a0\":\"7f683953a5d8\",\"a1\":\"7f683953fd38\",\"a2\":\"7f6839543a90\",\"a3\":\"6\",\"arch\":\"x86_64\",\"auid\":\"1000\",\"comm\":\"su\",\"egid\":\"0\",\"euid\":\"0\",\"exe\":\"/usr/bin/su\",\"exit\":\"0\",\"fsgid\":\"0\",\"fsuid\":\"0\",\"gid\":\"0\",\"items\":\"2\",\"pid\":\"1445\",\"ppid\":\"1444\",\"raw_msg\":\"audit(1481077334.304:547): arch=c000003e syscall=59 success=yes exit=0 a0=7f683953a5d8 a1=7f683953fd38 a2=7f6839543a90 a3=6 items=2 ppid=1444 pid=1445 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm=\\\"su\\\" exe=\\\"/usr/bin/su\\\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)\",\"record_type\":\"SYSCALL\",\"result\":\"success\",\"sequence\":\"547\",\"ses\":\"4\",\"sgid\":\"0\",\"subj_category\":\"c0.c1023\",\"subj_domain\":\"unconfined_t\",\"subj_level\":\"s0-s0\",\"subj_role\":\"unconfined_r\",\"subj_user\":\"unconfined_u\",\"suid\":\"0\",\"syscall\":\"execve\",\"tty\":\"pts1\",\"uid\":\"0\"}\n{\"@timestamp\":\"2016-12-07 02:22:14.304 +0000 UTC\",\"a0\":\"su\",\"argc\":\"1\",\"raw_msg\":\"audit(1481077334.304:547): argc=1 a0=\\\"su\\\"\",\"record_type\":\"EXECVE\",\"sequence\":\"547\"}\n{\"@timestamp\":\"2016-12-07 02:22:14.304 +0000 UTC\",\"cwd\":\"/home/andrew_kroh\",\"raw_msg\":\"audit(1481077334.304:547):  cwd=\\\"/home/andrew_kroh\\\"\",\"record_type\":\"CWD\",\"sequence\":\"547\"}\n{\"@timestamp\":\"2016-12-07 02:22:14.304 +0000 UTC\",\"dev\":\"08:01\",\"inode\":\"5026\",\"item\":\"0\",\"mode\":\"0104755\",\"name\":\"/bin/su\",\"obj_domain\":\"su_exec_t\",\"obj_level\":\"s0\",\"obj_role\":\"object_r\",\"obj_user\":\"system_u\",\"objtype\":\"NORMAL\",\"ogid\":\"0\",\"ouid\":\"0\",\"raw_msg\":\"audit(1481077334.304:547): item=0 name=\\\"/bin/su\\\" inode=5026 dev=08:01 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:su_exec_t:s0 objtype=NORMAL\",\"rdev\":\"00:00\",\"record_type\":\"PATH\",\"sequence\":\"547\"}\n{\"@timestamp\":\"2016-12-07 02:22:14.304 +0000 UTC\",\"dev\":\"08:01\",\"inode\":\"16778495\",\"item\":\"1\",\"mode\":\"0100755\",\"name\":\"/lib64/ld-linux-x86-64.so.2\",\"obj_domain\":\"ld_so_t\",\"obj_level\":\"s0\",\"obj_role\":\"object_r\",\"obj_user\":\"system_u\",\"objtype\":\"NORMAL\",\"ogid\":\"0\",\"ouid\":\"0\",\"raw_msg\":\"audit(1481077334.304:547): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=16778495 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL\",\"rdev\":\"00:00\",\"record_type\":\"PATH\",\"sequence\":\"547\"}\n```\n\nTo normalize and interpret the messages, use the `-i` flag for \"interpret\". This\nadds a category to the event and creates the `actor`, `action`, `thing`, and\n`how` fields based on data from the event. By default it will resolve UID and\nGID values to their names (use `-id=false` to disable this).\n\n```\n$ sudo cat /var/log/audit/audit.log | auparse -format=yaml -i\n---\ntimestamp: 2016-12-07T02:22:14.302Z\nsequence: 545\ncategory: user-login\nrecord_type: cred_acq\nresult: success\nsession: \"4\"\nsummary:\n  actor:\n    primary: vagrant\n    secondary: root\n  action: acquired-credentials\n  object:\n    type: user-session\n    primary: /dev/pts/1\n  how: /usr/bin/sudo\nuser:\n  ids:\n    auid: \"1000\"\n    uid: \"0\"\n  names:\n    auid: vagrant\n    uid: root\n  selinux:\n    category: c0.c1023\n    domain: unconfined_t\n    level: s0-s0\n    role: unconfined_r\n    user: unconfined_u\nprocess:\n  pid: \"1444\"\n  exe: /usr/bin/sudo\ndata:\n  acct: root\n  grantors: pam_env,pam_unix\n  op: PAM:setcred\n  terminal: /dev/pts/1\necs:\n  event:\n    category:\n    - authentication\n    type:\n    - info\n  user:\n    name: vagrant\n    id: \"1000\"\n    effective:\n      name: root\n      id: \"0\"\n    target: {}\n    changes: {}\n  group: {}\n\n---\ntimestamp: 2016-12-07T02:22:14.303Z\nsequence: 546\ncategory: user-login\nrecord_type: user_start\nresult: success\nsession: \"4\"\nsummary:\n  actor:\n    primary: vagrant\n    secondary: root\n  action: started-session\n  object:\n    type: user-session\n    primary: /dev/pts/1\n  how: /usr/bin/sudo\nuser:\n  ids:\n    auid: \"1000\"\n    uid: \"0\"\n  names:\n    auid: vagrant\n    uid: root\n  selinux:\n    category: c0.c1023\n    domain: unconfined_t\n    level: s0-s0\n    role: unconfined_r\n    user: unconfined_u\nprocess:\n  pid: \"1444\"\n  exe: /usr/bin/sudo\ndata:\n  acct: root\n  grantors: pam_keyinit,pam_limits\n  op: PAM:session_open\n  terminal: /dev/pts/1\necs:\n  event:\n    category:\n    - authentication\n    type:\n    - info\n  user:\n    name: vagrant\n    id: \"1000\"\n    effective:\n      name: root\n      id: \"0\"\n    target: {}\n    changes: {}\n  group: {}\n\n---\ntimestamp: 2016-12-07T02:22:14.304Z\nsequence: 547\ncategory: audit-rule\nrecord_type: syscall\nresult: success\nsession: \"4\"\nsummary:\n  actor:\n    primary: vagrant\n    secondary: root\n  action: executed\n  object:\n    type: file\n    primary: /bin/su\n  how: /usr/bin/su\nuser:\n  ids:\n    auid: \"1000\"\n    egid: \"0\"\n    euid: \"0\"\n    fsgid: \"0\"\n    fsuid: \"0\"\n    gid: \"0\"\n    sgid: \"0\"\n    suid: \"0\"\n    uid: \"0\"\n  names:\n    auid: vagrant\n    egid: root\n    euid: root\n    fsgid: root\n    fsuid: root\n    gid: root\n    sgid: root\n    suid: root\n    uid: root\n  selinux:\n    category: c0.c1023\n    domain: unconfined_t\n    level: s0-s0\n    role: unconfined_r\n    user: unconfined_u\nprocess:\n  pid: \"1445\"\n  ppid: \"1444\"\n  name: su\n  exe: /usr/bin/su\n  cwd: /home/andrew_kroh\n  args:\n  - su\nfile:\n  path: /bin/su\n  device: \"00:00\"\n  inode: \"5026\"\n  mode: \"0755\"\n  uid: \"0\"\n  gid: \"0\"\n  owner: root\n  group: root\n  selinux:\n    domain: su_exec_t\n    level: s0\n    role: object_r\n    user: system_u\ndata:\n  a0: 7f683953a5d8\n  a1: 7f683953fd38\n  a2: 7f6839543a90\n  a3: \"6\"\n  arch: x86_64\n  argc: \"1\"\n  exit: \"0\"\n  syscall: execve\n  tty: pts1\npaths:\n- dev: \"08:01\"\n  inode: \"5026\"\n  item: \"0\"\n  mode: \"0104755\"\n  name: /bin/su\n  obj_domain: su_exec_t\n  obj_level: s0\n  obj_role: object_r\n  obj_user: system_u\n  objtype: NORMAL\n  ogid: \"0\"\n  ouid: \"0\"\n  rdev: \"00:00\"\n- dev: \"08:01\"\n  inode: \"16778495\"\n  item: \"1\"\n  mode: \"0100755\"\n  name: /lib64/ld-linux-x86-64.so.2\n  obj_domain: ld_so_t\n  obj_level: s0\n  obj_role: object_r\n  obj_user: system_u\n  objtype: NORMAL\n  ogid: \"0\"\n  ouid: \"0\"\n  rdev: \"00:00\"\necs:\n  event:\n    category:\n    - process\n    type:\n    - start\n  user:\n    effective: {}\n    target: {}\n    changes: {}\n  group: {}\n```\n\n## ECS compatibility\n\nThis currently provides [Elastic Common Schema (ECS) 1.8](https://www.elastic.co/guide/en/ecs/current/index.html) categorization support for some of the more prominent or meaningful auditd events and syscalls.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudlinux%2Fgo-libaudit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudlinux%2Fgo-libaudit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudlinux%2Fgo-libaudit/lists"}