AUDISP-STATSD(8)        System Administration Utilities       AUDISP-STATSD(8)

NAME
       audisp-statsd - plugin to push audit metrics to a statsd service

SYNOPSIS
       audisp-statsd [ OPTIONS ]

DESCRIPTION
       audisp-statsd is a plugin for the audit event dispatcher that pushes
       audit metrics to a statsd service using UDP. It reads auditd's state
       report at regular intervals and forwards the data. Generation of the
       state report must be enabled in auditd.conf.


CONFIGURATION
       The plugin's configuration file is /etc/audit/audisp-statsd.conf.  The
       following parameters are recognized:

       address
              The name or address of the statsd server.

       port   The UDP port of the statsd service.

       interval
              Time interval between reading auditd's report. The value is a
              time string such as 10m, 1h, 2d, or 6M where the suffix is s for
              seconds, m for minutes, h for hours, d for days, and M for
              months.  The default is 15s.


REPORT METRICS
       The plugin collects the following metrics as gauges:

              backlog
                     number of kernel events pending transfer to user space

              lost   number of kernel events dropped

              free_space
                     how much disk free space auditd sees in MiB

              plugin_current_depth
                     number of events in auditd pending transfer to plugins

              plugin_max_depth
                     historical maximum number of events backlogged while
                     pending transfer to plugins

              total_memory
                     current total memory in use by glibc in KiB

              memory_in_use
                     how much of the total memory is actively used in KiB

              memory_free
                     amount of free memory available in the glibc arenas in
                     KiB

       The following metrics are counters:

              events_total_count
                     total number of events seen during interval

              events_total_failed
                     total number of events seen during interval with failed
                     outcome

              events_avc_count
                     total number of AVC events seen during interval

              events_fanotify_count
                     total number of FANOTIFY events seen during interval

              events_logins_success
                     total number of successful login events seen during
                     interval

              events_logins_failed
                     total number of failed login events seen during interval

              events_anamoly_count
                     total number of anamoly events seen during interval

              events_response_count
                     total number of anamoly response events seen during
                     interval


FILES
       /etc/audit/audisp-statsd.conf /etc/audit/plugins/au-statsd.conf

SEE ALSO
       auditd.conf(8), auditd-plugins(5).

AUTHOR
       Steve Grubb

Red Hat                            June 2025                  AUDISP-STATSD(8)