{"id":13838588,"url":"https://github.com/elastic/go-libaudit","last_synced_at":"2025-05-14T14:09:35.752Z","repository":{"id":19753790,"uuid":"87599809","full_name":"elastic/go-libaudit","owner":"elastic","description":"go-libaudit is a library for communicating with the Linux Audit Framework.","archived":false,"fork":false,"pushed_at":"2025-05-06T17:06:26.000Z","size":551,"stargazers_count":151,"open_issues_count":18,"forks_count":74,"subscribers_count":210,"default_branch":"main","last_synced_at":"2025-05-12T00:17:38.334Z","etag":null,"topics":["audit-logs","auditd","golang"],"latest_commit_sha":null,"homepage":"https://www.elastic.co/products/beats/auditbeat","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/elastic.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":"audit.go","citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-04-08T01:42:52.000Z","updated_at":"2025-05-06T02:57:10.000Z","dependencies_parsed_at":"2023-01-11T20:35:21.690Z","dependency_job_id":"48b2d0b3-766e-41e1-ba44-ab1392d3bf87","html_url":"https://github.com/elastic/go-libaudit","commit_stats":{"total_commits":162,"total_committers":20,"mean_commits":8.1,"dds":0.4135802469135802,"last_synced_commit":"f626137dab95db78d6e6b6bc0743d9a0fe85f8e1"},"previous_names":[],"tags_count":27,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fgo-libaudit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fgo-libaudit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fgo-libaudit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fgo-libaudit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/elastic","download_url":"https://codeload.github.com/elastic/go-libaudit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254160425,"owners_count":22024568,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit-logs","auditd","golang"],"created_at":"2024-08-04T16:00:22.582Z","updated_at":"2025-05-14T14:09:30.740Z","avatar_url":"https://github.com/elastic.png","language":"Go","funding_links":[],"categories":["osquery and linux audit"],"sub_categories":[],"readme":"# go-libaudit\n\n[![Go Documentation](http://img.shields.io/badge/go-documentation-blue.svg?style=flat-square)][godocs]\n\n[godocs]: http://godoc.org/github.com/elastic/go-libaudit\n\ngo-libaudit is a library for Go (golang) for communicating with the Linux Audit\nFramework. The Linux Audit Framework provides system call auditing in the kernel\nand logs the events to user-space using netlink sockets. This library\nfacilitates user-space applications that want to receive audit events.\n\n## Installation and Usage\n\nPackage documentation can be found on [GoDoc][godocs].\n\nInstallation can be done with a normal `go get`:\n\n```\n$ go get github.com/elastic/go-libaudit\n```\n\n### audit example\n\ngo-libaudit has two example applications that you can use to try the library.\nThe first is _audit_ which registers to receive audit events from the kernel\nand outputs the data it receives to stdout. The system's `auditd` process\nshould be stopped first.\n\n```\n$ go install github.com/elastic/go-libaudit/cmd/audit@main\n$ sudo $GOPATH/bin/audit -d\n```\n\n### auparse example\n\nThe second is _auparse_ which parses the log files from the Linux auditd\nprocess or the output of the _audit_ example command. It combines related log\nmessages that are a part of the same event.\n\n```\n$ go install github.com/elastic/go-libaudit/cmd/auparse@main\n$ sudo cat /var/log/audit/audit.log | auparse\n---\ntype=CRED_ACQ msg=audit(1481077334.302:545): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=success'\n---\ntype=USER_START msg=audit(1481077334.303:546): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=success'\n---\ntype=SYSCALL msg=audit(1481077334.304:547): arch=c000003e syscall=59 success=yes exit=0 a0=7f683953a5d8 a1=7f683953fd38 a2=7f6839543a90 a3=6 items=2 ppid=1444 pid=1445 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm=\"su\" exe=\"/usr/bin/su\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)\ntype=EXECVE msg=audit(1481077334.304:547): argc=1 a0=\"su\"\ntype=CWD msg=audit(1481077334.304:547):  cwd=\"/home/andrew_kroh\"\ntype=PATH msg=audit(1481077334.304:547): item=0 name=\"/bin/su\" inode=5026 dev=08:01 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:su_exec_t:s0 objtype=NORMAL\ntype=PATH msg=audit(1481077334.304:547): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=16778495 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL\n```\n\nIt supports outputting the messages as plain text (default), JSON, or YAML by\nusing `-format=yaml` for example.\n\n```\n$ sudo cat /var/log/audit/audit.log | auparse -format=json\n---\n{\"@timestamp\":\"2016-12-07 02:22:14.302 +0000 UTC\",\"acct\":\"root\",\"auid\":\"1000\",\"exe\":\"/usr/bin/sudo\",\"grantors\":\"pam_env,pam_unix\",\"op\":\"PAM:setcred\",\"pid\":\"1444\",\"raw_msg\":\"audit(1481077334.302:545): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct=\\\"root\\\" exe=\\\"/usr/bin/sudo\\\" hostname=? addr=? terminal=/dev/pts/1 res=success'\",\"record_type\":\"CRED_ACQ\",\"result\":\"success\",\"sequence\":\"545\",\"ses\":\"4\",\"subj_category\":\"c0.c1023\",\"subj_domain\":\"unconfined_t\",\"subj_level\":\"s0-s0\",\"subj_role\":\"unconfined_r\",\"subj_user\":\"unconfined_u\",\"terminal\":\"/dev/pts/1\",\"uid\":\"0\"}\n---\n{\"@timestamp\":\"2016-12-07 02:22:14.303 +0000 UTC\",\"acct\":\"root\",\"auid\":\"1000\",\"exe\":\"/usr/bin/sudo\",\"grantors\":\"pam_keyinit,pam_limits\",\"op\":\"PAM:session_open\",\"pid\":\"1444\",\"raw_msg\":\"audit(1481077334.303:546): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct=\\\"root\\\" exe=\\\"/usr/bin/sudo\\\" hostname=? addr=? terminal=/dev/pts/1 res=success'\",\"record_type\":\"USER_START\",\"result\":\"success\",\"sequence\":\"546\",\"ses\":\"4\",\"subj_category\":\"c0.c1023\",\"subj_domain\":\"unconfined_t\",\"subj_level\":\"s0-s0\",\"subj_role\":\"unconfined_r\",\"subj_user\":\"unconfined_u\",\"terminal\":\"/dev/pts/1\",\"uid\":\"0\"}\n---\n{\"@timestamp\":\"2016-12-07 02:22:14.304 +0000 UTC\",\"a0\":\"7f683953a5d8\",\"a1\":\"7f683953fd38\",\"a2\":\"7f6839543a90\",\"a3\":\"6\",\"arch\":\"x86_64\",\"auid\":\"1000\",\"comm\":\"su\",\"egid\":\"0\",\"euid\":\"0\",\"exe\":\"/usr/bin/su\",\"exit\":\"0\",\"fsgid\":\"0\",\"fsuid\":\"0\",\"gid\":\"0\",\"items\":\"2\",\"pid\":\"1445\",\"ppid\":\"1444\",\"raw_msg\":\"audit(1481077334.304:547): arch=c000003e syscall=59 success=yes exit=0 a0=7f683953a5d8 a1=7f683953fd38 a2=7f6839543a90 a3=6 items=2 ppid=1444 pid=1445 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm=\\\"su\\\" exe=\\\"/usr/bin/su\\\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)\",\"record_type\":\"SYSCALL\",\"result\":\"success\",\"sequence\":\"547\",\"ses\":\"4\",\"sgid\":\"0\",\"subj_category\":\"c0.c1023\",\"subj_domain\":\"unconfined_t\",\"subj_level\":\"s0-s0\",\"subj_role\":\"unconfined_r\",\"subj_user\":\"unconfined_u\",\"suid\":\"0\",\"syscall\":\"execve\",\"tty\":\"pts1\",\"uid\":\"0\"}\n{\"@timestamp\":\"2016-12-07 02:22:14.304 +0000 UTC\",\"a0\":\"su\",\"argc\":\"1\",\"raw_msg\":\"audit(1481077334.304:547): argc=1 a0=\\\"su\\\"\",\"record_type\":\"EXECVE\",\"sequence\":\"547\"}\n{\"@timestamp\":\"2016-12-07 02:22:14.304 +0000 UTC\",\"cwd\":\"/home/andrew_kroh\",\"raw_msg\":\"audit(1481077334.304:547):  cwd=\\\"/home/andrew_kroh\\\"\",\"record_type\":\"CWD\",\"sequence\":\"547\"}\n{\"@timestamp\":\"2016-12-07 02:22:14.304 +0000 UTC\",\"dev\":\"08:01\",\"inode\":\"5026\",\"item\":\"0\",\"mode\":\"0104755\",\"name\":\"/bin/su\",\"obj_domain\":\"su_exec_t\",\"obj_level\":\"s0\",\"obj_role\":\"object_r\",\"obj_user\":\"system_u\",\"objtype\":\"NORMAL\",\"ogid\":\"0\",\"ouid\":\"0\",\"raw_msg\":\"audit(1481077334.304:547): item=0 name=\\\"/bin/su\\\" inode=5026 dev=08:01 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:su_exec_t:s0 objtype=NORMAL\",\"rdev\":\"00:00\",\"record_type\":\"PATH\",\"sequence\":\"547\"}\n{\"@timestamp\":\"2016-12-07 02:22:14.304 +0000 UTC\",\"dev\":\"08:01\",\"inode\":\"16778495\",\"item\":\"1\",\"mode\":\"0100755\",\"name\":\"/lib64/ld-linux-x86-64.so.2\",\"obj_domain\":\"ld_so_t\",\"obj_level\":\"s0\",\"obj_role\":\"object_r\",\"obj_user\":\"system_u\",\"objtype\":\"NORMAL\",\"ogid\":\"0\",\"ouid\":\"0\",\"raw_msg\":\"audit(1481077334.304:547): item=1 name=\\\"/lib64/ld-linux-x86-64.so.2\\\" inode=16778495 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL\",\"rdev\":\"00:00\",\"record_type\":\"PATH\",\"sequence\":\"547\"}\n```\n\nTo normalize and interpret the messages, use the `-i` flag for \"interpret\". This\nadds a category to the event and creates the `actor`, `action`, `thing`, and\n`how` fields based on data from the event. By default it will resolve UID and\nGID values to their names (use `-id=false` to disable this).\n\n```\n$ sudo cat /var/log/audit/audit.log | auparse -format=yaml -i\n---\ntimestamp: 2016-12-07T02:22:14.302Z\nsequence: 545\ncategory: user-login\nrecord_type: cred_acq\nresult: success\nsession: \"4\"\nsummary:\n  actor:\n    primary: vagrant\n    secondary: root\n  action: acquired-credentials\n  object:\n    type: user-session\n    primary: /dev/pts/1\n  how: /usr/bin/sudo\nuser:\n  ids:\n    auid: \"1000\"\n    uid: \"0\"\n  names:\n    auid: vagrant\n    uid: root\n  selinux:\n    category: c0.c1023\n    domain: unconfined_t\n    level: s0-s0\n    role: unconfined_r\n    user: unconfined_u\nprocess:\n  pid: \"1444\"\n  exe: /usr/bin/sudo\ndata:\n  acct: root\n  grantors: pam_env,pam_unix\n  op: PAM:setcred\n  terminal: /dev/pts/1\necs:\n  event:\n    category:\n    - authentication\n    type:\n    - info\n  user:\n    name: vagrant\n    id: \"1000\"\n    effective:\n      name: root\n      id: \"0\"\n    target: {}\n    changes: {}\n  group: {}\n\n---\ntimestamp: 2016-12-07T02:22:14.303Z\nsequence: 546\ncategory: user-login\nrecord_type: user_start\nresult: success\nsession: \"4\"\nsummary:\n  actor:\n    primary: vagrant\n    secondary: root\n  action: started-session\n  object:\n    type: user-session\n    primary: /dev/pts/1\n  how: /usr/bin/sudo\nuser:\n  ids:\n    auid: \"1000\"\n    uid: \"0\"\n  names:\n    auid: vagrant\n    uid: root\n  selinux:\n    category: c0.c1023\n    domain: unconfined_t\n    level: s0-s0\n    role: unconfined_r\n    user: unconfined_u\nprocess:\n  pid: \"1444\"\n  exe: /usr/bin/sudo\ndata:\n  acct: root\n  grantors: pam_keyinit,pam_limits\n  op: PAM:session_open\n  terminal: /dev/pts/1\necs:\n  event:\n    category:\n    - authentication\n    type:\n    - info\n  user:\n    name: vagrant\n    id: \"1000\"\n    effective:\n      name: root\n      id: \"0\"\n    target: {}\n    changes: {}\n  group: {}\n\n---\ntimestamp: 2016-12-07T02:22:14.304Z\nsequence: 547\ncategory: audit-rule\nrecord_type: syscall\nresult: success\nsession: \"4\"\nsummary:\n  actor:\n    primary: vagrant\n    secondary: root\n  action: executed\n  object:\n    type: file\n    primary: /bin/su\n  how: /usr/bin/su\nuser:\n  ids:\n    auid: \"1000\"\n    egid: \"0\"\n    euid: \"0\"\n    fsgid: \"0\"\n    fsuid: \"0\"\n    gid: \"0\"\n    sgid: \"0\"\n    suid: \"0\"\n    uid: \"0\"\n  names:\n    auid: vagrant\n    egid: root\n    euid: root\n    fsgid: root\n    fsuid: root\n    gid: root\n    sgid: root\n    suid: root\n    uid: root\n  selinux:\n    category: c0.c1023\n    domain: unconfined_t\n    level: s0-s0\n    role: unconfined_r\n    user: unconfined_u\nprocess:\n  pid: \"1445\"\n  ppid: \"1444\"\n  name: su\n  exe: /usr/bin/su\n  cwd: /home/andrew_kroh\n  args:\n  - su\nfile:\n  path: /bin/su\n  device: \"00:00\"\n  inode: \"5026\"\n  mode: \"0755\"\n  uid: \"0\"\n  gid: \"0\"\n  owner: root\n  group: root\n  selinux:\n    domain: su_exec_t\n    level: s0\n    role: object_r\n    user: system_u\ndata:\n  a0: 7f683953a5d8\n  a1: 7f683953fd38\n  a2: 7f6839543a90\n  a3: \"6\"\n  arch: x86_64\n  argc: \"1\"\n  exit: \"0\"\n  syscall: execve\n  tty: pts1\npaths:\n- dev: \"08:01\"\n  inode: \"5026\"\n  item: \"0\"\n  mode: \"0104755\"\n  name: /bin/su\n  obj_domain: su_exec_t\n  obj_level: s0\n  obj_role: object_r\n  obj_user: system_u\n  objtype: NORMAL\n  ogid: \"0\"\n  ouid: \"0\"\n  rdev: \"00:00\"\n- dev: \"08:01\"\n  inode: \"16778495\"\n  item: \"1\"\n  mode: \"0100755\"\n  name: /lib64/ld-linux-x86-64.so.2\n  obj_domain: ld_so_t\n  obj_level: s0\n  obj_role: object_r\n  obj_user: system_u\n  objtype: NORMAL\n  ogid: \"0\"\n  ouid: \"0\"\n  rdev: \"00:00\"\necs:\n  event:\n    category:\n    - process\n    type:\n    - start\n  user:\n    effective: {}\n    target: {}\n    changes: {}\n  group: {}\n```\n\n## ECS compatibility\n\nThis currently provides [Elastic Common Schema (ECS) 1.8](https://www.elastic.co/guide/en/ecs/current/index.html) categorization support for some of the more prominent or meaningful auditd events and syscalls.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felastic%2Fgo-libaudit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Felastic%2Fgo-libaudit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felastic%2Fgo-libaudit/lists"}