You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've searched for any related issues and avoided creating a duplicate issue.
Description
Hi! There is no option to include node name/ip in log output, like "name_format" in auditd.conf:
name_format
This option controls how computer node names are inserted
into the audit event stream. It has the following choices:
none, hostname, fqd, numeric, and user. None means that
no computer name is inserted into the audit event.
hostname is the name returned by the gethostname syscall.
The fqd means that it takes the hostname and resolves it
with dns for a fully qualified domain name of that
machine. Numeric is similar to fqd except it resolves the
IP address of the machine. In order to use this option,
you might want to test that 'hostname -i' or 'domainname
-i' returns a numeric address. Also, this option is not
recommended if dhcp is used because you could have
different addresses over time for the same machine. User
is an admin defined string from the name option. The
default value is none.
Is there any way to include such info in current output?
Reproducible in:
go-audit version: 1.2.0
Expected result:
Every log line can include node hostname/ip if the option is set to (hostname | fqd | numeric | user) in config file, like: { "sequence": 101, "timestamp": "1482700861.088", "node": "192.168.0.1", "messages": [ { "type": 1300, "data": "arch=c000003e syscall=2 success=yes exit=3 a0=7ffff76f7938 a1=0 a2=20000 a3=69d items=1 ppid=12166 pid=12602 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm=\"cat\" exe=\"/bin/cat\" key=\"bees_in_my_honey\"" }, { "type": 1307, "data": " cwd=\"/root\"" }, { "type": 1302, "data": "item=0 name=\"/opt/secret.txt\" inode=785716 dev=fc:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL" }, { "type": 1327, "data": "proctitle=636174002F6F70742F7365637265742E747874" } ], "uid_map": { "0": "root", "1000": "user" } }
Actual result:
Currently, there is no such option in config file.
The text was updated successfully, but these errors were encountered:
@wadey It is related only partially. #91 enables writing arbitrary key/value static pairs described in config file. Hostname/ip however, must be obtained with querying somehow operating system on each host.
Description
Hi! There is no option to include node name/ip in log output, like "name_format" in auditd.conf:
name_format
This option controls how computer node names are inserted
into the audit event stream. It has the following choices:
none, hostname, fqd, numeric, and user. None means that
no computer name is inserted into the audit event.
hostname is the name returned by the gethostname syscall.
The fqd means that it takes the hostname and resolves it
with dns for a fully qualified domain name of that
machine. Numeric is similar to fqd except it resolves the
IP address of the machine. In order to use this option,
you might want to test that 'hostname -i' or 'domainname
-i' returns a numeric address. Also, this option is not
recommended if dhcp is used because you could have
different addresses over time for the same machine. User
is an admin defined string from the name option. The
default value is none.
Is there any way to include such info in current output?
Reproducible in:
go-auditversion: 1.2.0Expected result:
Every log line can include node hostname/ip if the option is set to (hostname | fqd | numeric | user) in config file, like:
{ "sequence": 101, "timestamp": "1482700861.088", "node": "192.168.0.1", "messages": [ { "type": 1300, "data": "arch=c000003e syscall=2 success=yes exit=3 a0=7ffff76f7938 a1=0 a2=20000 a3=69d items=1 ppid=12166 pid=12602 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm=\"cat\" exe=\"/bin/cat\" key=\"bees_in_my_honey\"" }, { "type": 1307, "data": " cwd=\"/root\"" }, { "type": 1302, "data": "item=0 name=\"/opt/secret.txt\" inode=785716 dev=fc:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL" }, { "type": 1327, "data": "proctitle=636174002F6F70742F7365637265742E747874" } ], "uid_map": { "0": "root", "1000": "user" } }Actual result:
Currently, there is no such option in config file.
The text was updated successfully, but these errors were encountered: