Syscall Auditing at Scale
Ryan Huber

I like how you went with a fresh codebase and talking directly to the kernel (netlink). In theory this should yield better performance and simpler conversion.

I’m working on a similar task at Red Hat, but using libauparse and running under auditd and audispd for live streaming, although the tool also supports single-shot log conversion.

I’ll be taking a closer look at go-audit, you can also drop by and take a look at what I’m doing, and perhaps we can share a few things.

Here’s my project:

Show your support

Clapping shows how much you appreciated Nikolai Kondrashov’s story.