Currently config is read from a file based on --config command line argument. For an environment where thousands of nodes are monitored using go-audit, these config files need to be pushed from an external tool like chef.

Here are a few thoughts I have:

• If configs are pulled in a scheduled interval, securely over HTTPS from a central fleet manager exposing config as a REST API, changes in audit configuration can be added and removed frequently and managed more easily.
• If an external plugin is used (https://golang.org/pkg/plugin/) to read configs, then any custom config plugins can be developed and used at runtime without disturbing the core part of the code.

I could send up a pull request if you like this idea.

I have a few thoughts:

• Restarting go-audit is generally a fast operation and has been good enough for us and others in the past when dealing with config change.
• You could tweak active audit rules using auditctl directly without restarting go-audit or changing go-audits configuration
• go-audit uses viper for config parsing and has a way to watch config files for change. Reloading the active rules would be fairly simple but a fully supported graceful reload would be more difficult and restarting is already pretty fast.
• viper can read configuration from remote key/value stores like consul or etcd. We could expose that type of configuration source via the config file but the above problem would remain.

Can you tell me a bit more about your use case and if any of these thoughts may help you solve some problems?