This is for Ubuntu. root@ld5333:/etc# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04 LTS Release: 16.04 Codename: xenial root@ld5333:/etc# go-audit -config /etc/go-audit.yaml 2017/02/08 Flushed existing audit rules 2017/02/08 Added audit rule #1 2017/02/08 Added audit rule #2 2017/02/08 Added audit rule #3 2017/02/08 Socket receive buffer size: 32768 2017/02/08 Ignoring syscall `49` containing message type `1306` matching string `saddr=(10..|0A..)` 2017/02/08 Ignoring syscall `` containing message type `1305` matching string `.*` 2017/02/08 Started processing events 2017/02/08 Likely missed sequence 588861, current 589363, worst message delay 0 2017/02/08 Likely missed sequence 588863, current 589365, worst message delay 0 2017/02/08 Likely missed sequence 588865, current 589367, worst message delay 0 2017/02/08 Likely missed sequence 588867, current 589369, worst message delay 0 ^C root@ld5333:/etc# cat /etc/go-audit.yaml ######################################################################################### # Please note that until this bug spf13/viper#165 is fixed # # you _must_ specify all values despite the fact that they talk about having a default. # # Hopefully this problem with viper goes away soon # ######################################################################################### # Configure socket buffers, leave unset to use the system defaults # Values will be doubled by the kernel # It is recommended you do not set any of these values unless you really need to socket_buffer: # Default is net.core.rmem_default (/proc/sys/net/core/rmem_default) # Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max) receive: 16384 # Configure message sequence tracking message_tracking: # Track messages and identify if we missed any, default true enabled: true # Log out of orderness, these messages typically signify an overloading system, default false log_out_of_order: false # Maximum out of orderness before a missed sequence is presumed dropped, default 500 max_out_of_order: 500 # Configure where to output audit events # Only 1 output can be active at a given time output: # Writes to stdout # All program status logging will be moved to stderr stdout: #enabled: true enabled: false # Total number of attempts to write a line before considering giving up # If a write fails go-audit will sleep for 1 second before retrying # Default is 3 attempts: 2 # Writes logs to syslog syslog: #enabled: false enabled: true attempts: 5 # Configure the type of socket this should be, default is unixgram # This maps to `network` in golangs net.Dial: https://golang.org/pkg/net/#Dial #network: unixgram network: udp # Set the remote address to connect to, this can be a path or an ip address # This maps to `address` in golangs net.Dial: https://golang.org/pkg/net/#Dial #address: /dev/log address: 172.24.102.204:514 # Sets the facility and severity for all events. See the table below for help # The default is 132 which maps to local0 | warn priority: 129 # local0 | emerg # Typically the name of the program generating the message. The PID is of the process is appended for you: [1233] # Default value is "go-audit" tag: "audit-thing" # Appends logs to a file file: enabled: false attempts: 2 # Path of the file to write lines to # The actual file will be created if it is missing but make sure the parent directory exists path: /tmp/go-audit.log # Octal file mode for the log file, make sure to always have a leading 0 mode: 0600 # User and group that should own the log file #user: nobody #group: nogroup user: root group: root # Configure logging, only stdout and stderr are used. log: # Gives you a bit of control over log line prefixes. Default is 0 - nothing. # To get the `filename:lineno` you would set this to 16 # # Ldate = 1 // the date in the local time zone: 2009/01/23 # Ltime = 2 // the time in the local time zone: 01:23:23 # Lmicroseconds = 4 // microsecond resolution: 01:23:23.123123. assumes Ltime. # Llongfile = 8 // full file name and line number: /a/b/c/d.go:23 # Lshortfile = 16 // final file name element and line number: d.go:23. overrides Llongfile # LUTC = 32 // if Ldate or Ltime is set, use UTC rather than the local time zone # # See also: https://golang.org/pkg/log/#pkg-constants flags: 0 flags: 1 rules: # Watch all 64 bit program executions #- -a exit,always -F arch=b64 -S execve # Watch all 32 bit program executions #- -a exit,always -F arch=b32 -S execve - -a exit,always -S listen - -a exit,always -F arch=b64 -F a0=2 -F a1=2 -F a2=17 -S socket #- -a exit,always -F arch=b64 -S socket -F a0=3 #- -a exit,always -F arch=b64 -S socket -F a0=4 # Enable kernel auditing (required if not done via the "audit" kernel boot parameter) # You can also use this to lock the rules. Locking requires a reboot to modify the ruleset. # This should be the last rule in the chain. - -e 1 # If kaudit filtering isn't powerful enough you can use the following filter mechanism filters: # Each filter consists of exactly 3 parts - syscall: 49 # The syscall id of the message group (a single log line from go-audit), to test against the regex message_type: 1306 # The message type identifier containing the data to test against the regex regex: saddr=(10..|0A..) # The regex to test against the message specific message types data - syscall: "" message_type: 1305 regex: .* root@ld5333:/etc# [id:image001.png@01D27AE2.650A0A00] Bryan C. Jamieson Senior Systems Engineer THD Austin Technology Center North 13011 McCallen Pass Austin, Tx 78753 W: 737-931-8627 C: 512-221-8906 Email: Bryan_Jamieson@homedepot.com<mailto:Bryan_Jamieson@homedepot.com> From: Nathan Brown <notifications@github.com> Reply-To: slackhq/go-audit <reply@reply.github.com> Date: Tuesday, February 7, 2017 at 10:06 PM To: slackhq/go-audit <go-audit@noreply.github.com> Cc: Bryan Jamieson <BRYAN_JAMIESON@homedepot.com>, Author <author@noreply.github.com> Subject: Re: [slackhq/go-audit] incessant likely missed sequence messages (#23) What is your current config for message_tracking.max_out_of_order<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_slackhq_go-2Daudit_blob_master_go-2Daudit.yaml.example-23L24&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=VKz8BLpQflD7ECINmvU64E0nsIMNBJqZMB0kobFkDDU&s=U98IMaANFSTpK5PpxIJA7E6HkoZMhxL9j0aj2AVDdAE&e=>? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_slackhq_go-2Daudit_issues_23-23issuecomment-2D278223789&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=VKz8BLpQflD7ECINmvU64E0nsIMNBJqZMB0kobFkDDU&s=AnNTl4YMnucUk--tYJYbElFiWpUKPPyqyo8V2-ec6TU&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AXRJHkCiGshn9YhKjqjTcosNmvFuSRCLks5raT9WgaJpZM4L2xQt&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=VKz8BLpQflD7ECINmvU64E0nsIMNBJqZMB0kobFkDDU&s=FucZ-f9-hWu_dQ-7TDA0Z-TzwLgHdURuNmWUy8jN5-Q&e=>.

Nathan, I forgot you had redirected my to govendor ☺ This is happening during the build of go-audit on rhel6.8, it’s not about running go-audit. Let me go open a ticket with govendor. The compile works on rhel 7.3 in a docker container running on the same virtual machine. Govendor seems to deal with all the stanzas ok in the vendor.json file except these two: { "checksumSHA1": "93uHIq25lffEKY47PV8dBPD+XuQ=", "path": "gopkg.in/fsnotify.v1", "revision": "a8a77c9133d2d6fd8334f3260d06f60e8d80a5fb", "revisionTime": "2016-06-29T01:11:04Z" }, { "checksumSHA1": "SPMXWeoFQa5z0pLPmqpcFzyHqQQ=", "path": "gopkg.in/yaml.v2", "revision": "31c299268d302dd0aa9a0dcf765a3d58971ac83f", "revisionTime": "2016-09- 12T16:56:03Z" } [id:image001.png@01D27AE2.650A0A00] Bryan C. Jamieson Senior Systems Engineer THD Austin Technology Center North 13011 McCallen Pass Austin, Tx 78753 W: 737-931-8627 C: 512-221-8906 Email: Bryan_Jamieson@homedepot.com<mailto:Bryan_Jamieson@homedepot.com> From: Nathan Brown <notifications@github.com> Reply-To: slackhq/go-audit <reply@reply.github.com> Date: Friday, February 10, 2017 at 12:59 PM To: slackhq/go-audit <go-audit@noreply.github.com> Cc: Bryan Jamieson <BRYAN_JAMIESON@homedepot.com>, Author <author@noreply.github.com> Subject: Re: [slackhq/go-audit] incessant likely missed sequence messages (#23) Either you have multiple processes fighting for the audit netlink socket or your computer isn't fast enough to process all the audit messages. Can you confirm that only one instance go-audit is running and that auditd is not? While go-audit is running what does cpu utilization look like? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_slackhq_go-2Daudit_issues_23-23issuecomment-2D279034347&d=DwMFaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=CpWgKD3rX-1C5vBkq6_Fa0-gA5Z0__9qDTzpIhu1UN0&s=q3N7VmDaA4V10PhxrDfdzghbeHztaw6uxSHA51umcnQ&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AXRJHvRlUohdbwMTf1H5ThJ9gGqAhjObks5rbLOfgaJpZM4L2xQt&d=DwMFaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=CpWgKD3rX-1C5vBkq6_Fa0-gA5Z0__9qDTzpIhu1UN0&s=EwJIBIsOlkZB2I6J5gfUHpeaGYEINuONhajWrKrbLaE&e=>.

I replicated the problem this morning and here is what is running at the time the messages appear. root@ld5333:~# ps -eaf | grep go-audit root 29572 29383 0 10:10 pts/0 00:00:00 go-audit -config /etc/go-audit.yaml root 29677 29443 0 11:05 pts/1 00:00:00 grep --color=auto go-audit root@ld5333:~# [id:image001.png@01D27AE2.650A0A00] Bryan C. Jamieson Senior Systems Engineer THD Austin Technology Center North 13011 McCallen Pass Austin, Tx 78753 W: 737-931-8627 C: 512-221-8906 Email: Bryan_Jamieson@homedepot.com<mailto:Bryan_Jamieson@homedepot.com> From: Nathan Brown <notifications@github.com> Reply-To: slackhq/go-audit <reply@reply.github.com> Date: Friday, February 17, 2017 at 4:31 PM To: slackhq/go-audit <go-audit@noreply.github.com> Cc: Bryan Jamieson <BRYAN_JAMIESON@homedepot.com>, Author <author@noreply.github.com> Subject: Re: [slackhq/go-audit] incessant likely missed sequence messages (#23) Can you confirm how many go-audit processes are running or that auditd is running when this happens? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_slackhq_go-2Daudit_issues_23-23issuecomment-2D280784659&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=VcYqTdbtM1FCObHcoBNoWc9UEmXFIFU8oX3WejFNUJk&s=IhLA9bDrZKgH4h_d6h-m66JDrOlGA8SxJ1d3CQqdXZ0&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AXRJHneUnHgWO-5FcRllWenh14ko6fy5Fvks5rdh-2D1gaJpZM4L2xQt&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=VcYqTdbtM1FCObHcoBNoWc9UEmXFIFU8oX3WejFNUJk&s=X4bZYrXp3UULDBqQHA6xwzSLik0r4zjUPjVGF1dHmmc&e=>.

root@ld5333:~# systemctl stop auditd root@ld5333:~# root@ld5333:~# systemctl status auditd * auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Thu 2017-01-05 17:32:11 EST; 1 months 17 days ago Main PID: 11349 (code=exited, status=0/SUCCESS) Feb 22 13:30:46 ld5333 systemd[1]: Stopped Security Auditing Service. root@ld5333:~# systemctl status go-audit * go-audit.service - go-audit Loaded: loaded (/etc/systemd/system/go-audit.service; enabled; vendor preset: enabled) Active: inactive (dead) since Mon 2017-02-20 10:11:48 EST; 2 days ago Main PID: 16599 (code=killed, signal=TERM) Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable root@ld5333:~# systemctl start go-audit root@ld5333:~# systemctl status go-audit * go-audit.service - go-audit Loaded: loaded (/etc/systemd/system/go-audit.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2017-02-22 13:34:12 EST; 5s ago Main PID: 2296 (go-audit) CGroup: /system.slice/go-audit.service `-2296 /usr/local/bin/go-audit -config /etc/go-audit.yaml Feb 22 13:34:12 ld5333 systemd[1]: Started go-audit. Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Flushed existing audit rules Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Added audit rule #1 Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Added audit rule #2 Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Added audit rule #3 Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Socket receive buffer size: 32768 Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Ignoring syscall `49` containing message type Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Ignoring syscall `` containing message type `1 Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Started processing events lines 1-16/16 (END) root@ld5333:~# ps -eaf | grep go-audit root 2343 2263 0 13:42 pts/0 00:00:00 go-audit -config /etc/go-audit.yaml root 2443 2405 0 13:47 pts/1 00:00:00 grep --color=auto go-audit root@ld5333:~# grep 172 /etc/*yaml address: 172.24.103.215:514 root@ld5333:~# systemctl restart sshd [root@ld5405 ~]# host ld5405 ld5405.homedepot.com has address 172.24.103.215 [root@ld5405 ~]# nc -u -l 514 <129>2017-02-22T13:26:12-05:00 ln4668 audit-thing[6998]: {"sequence":2285,"timestamp":"1487787972.062","messages":[{"type":1300,"data":"arch=c000003e syscall=50 success=yes exit=0 a0=3 a1=80 a2=10 a3=7ffcdb21f4ac items=0 ppid=1 pid=7083 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm=\"sshd\" exe=\"/usr/sbin/sshd\" key=(null)"}],"uid_map":{"0":"root"}} <129>2017-02-22T13:26:12-05:00 ln4668 audit-thing[6998]: {"sequence":2286,"timestamp":"1487787972.062","messages":[{"type":1300,"data":"arch=c000003e syscall=50 success=yes exit=0 a0=4 a1=80 a2=1c a3=7ffcdb21f4ac items=0 ppid=1 pid=7083 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm=\"sshd\" exe=\"/usr/sbin/sshd\" key=(null)"}],"uid_map":{"0":"root"}} ^C [root@ld5405 ~]# nc -u -l 514 <129>2017-02-22T13:35:50-05:00 ld5333 audit-thing[2296]: {"sequence":805853,"timestamp":"1487788550.460","messages":[{"type":1300,"data":"arch=c000003e syscall=50 success=yes exit=0 a0=3 a1=80 a2=0 a3=7ffe28997050 items=0 ppid=1 pid=2321 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"sshd\" exe=\"/usr/sbin/sshd\" key=(null)"},{"type":1327,"data":"proctitle=2F7573722F7362696E2F73736864002D44"}],"uid_map":{"0":"root","4294967295":"UNKNOWN_USER"}} <129>2017-02-22T13:35:50-05:00 ld5333 audit-thing[2296]: {"sequence":805854,"timestamp":"1487788550.468","messages":[{"type":1300,"data":"arch=c000003e syscall=50 success=yes exit=0 a0=4 a1=80 a2=0 a3=7ffe28996fe4 items=0 ppid=1 pid=2321 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"sshd\" exe=\"/usr/sbin/sshd\ after like 4 hours it hasn’t done it this time ☺ not sure what the deal is . [id:image001.png@01D27AE2.650A0A00] Bryan C. Jamieson Senior Systems Engineer THD Austin Technology Center North 13011 McCallen Pass Austin, Tx 78753 W: 737-931-8627 C: 512-221-8906 Email: Bryan_Jamieson@homedepot.com<mailto:Bryan_Jamieson@homedepot.com> From: Nathan Brown <notifications@github.com> Reply-To: slackhq/go-audit <reply@reply.github.com> Date: Wednesday, February 22, 2017 at 12:08 PM To: slackhq/go-audit <go-audit@noreply.github.com> Cc: Bryan Jamieson <BRYAN_JAMIESON@homedepot.com>, Author <author@noreply.github.com> Subject: Re: [slackhq/go-audit] incessant likely missed sequence messages (#23) Was auditd running? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_slackhq_go-2Daudit_issues_23-23issuecomment-2D281752065&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=7PW07mTH_YCH6Vc9Mz1GDeLdIwgik-EVse_fiPbDbyg&s=Ek49TBAD7m9UURwPyD0FmmcfxNUAIZHrj_jbuu36JoU&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AXRJHtvHz7e36UtnBohmKuoiA1g75Phfks5rfHmHgaJpZM4L2xQt&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=7PW07mTH_YCH6Vc9Mz1GDeLdIwgik-EVse_fiPbDbyg&s=YcMi-QsGEklD8dDe3pzEGU4mxe65Oa42MAVZUxI7JOs&e=>.