audisp-statsd - Man Page

plugin to push audit metrics to a statsd service

audisp-statsd is a plugin for the audit event dispatcher that pushes audit metrics to a statsd service using UDP. It reads auditd's state report at regular intervals and forwards the data. Generation of the state report must be enabled in auditd.conf.

Configuration

The plugin's configuration file is /etc/audit/audisp-statsd.conf. The following parameters are recognized:

address: The name or address of the statsd server.
port: The UDP port of the statsd service.
interval: Time interval between reading auditd's report. The value is a time string such as 10m, 1h, 2d, or 6M where the suffix is s for seconds, m for minutes, h for hours, d for days, and M for months. The default is 15s.

Report Metrics

The plugin collects the following metrics as gauges:

backlog: number of kernel events pending transfer to user space
lost: number of kernel events dropped
free_space: how much disk free space auditd sees in MB
plugin_current_depth: number of events in auditd pending transfer to plugins
plugin_max_depth: historical maximum number of events backlogged while pending transfer to plugins
total_memory: current total memory in use by glibc in KB
memory_in_use: how much of the total memory is actively used in KB
memory_free: amount of free memory available in the glibc arenas in KB

The following metrics are counters:

events_total_count: total number of events seen during interval
events_total_failed: total number of events seen during interval with failed outcome
events_avc_count: total number of AVC events seen during interval
events_fanotify_count: total number of FANOTIFY events seen during interval
events_logins_success: total number of successful login events seen during interval
events_logins_failed: total number of failed login events seen during interval
events_anamoly_count: total number of anamoly events seen during interval
events_response_count: total number of anamoly response events seen during interval