AUDISP-STATSD(8) System Administration Utilities AUDISP-STATSD(8)

audisp-statsd - plugin to push audit metrics to a statsd service

audisp-statsd [ OPTIONS ]

audisp-statsd is a plugin for the audit event dispatcher that pushes audit metrics to a statsd service using UDP. It reads auditd's state report at regular intervals and forwards the data. Generation of the state report must be enabled in auditd.conf.

The plugin's configuration file is /etc/audit/audisp-statsd.conf. The following parameters are recognized:

The name or address of the statsd server.
The UDP port of the statsd service.
Time interval between reading auditd's report. The value is a time string such as 10m, 1h, 2d, or 6M where the suffix is s for seconds, m for minutes, h for hours, d for days, and M for months. The default is 15s.

The plugin collects the following metrics as gauges:

number of kernel events pending transfer to user space
number of kernel events dropped
how much disk free space auditd sees in MiB
number of events in auditd pending transfer to plugins
historical maximum number of events backlogged while pending transfer to plugins
current total memory in use by glibc in KiB
how much of the total memory is actively used in KiB
amount of free memory available in the glibc arenas in KiB

The following metrics are counters:

total number of events seen during interval
total number of events seen during interval with failed outcome
total number of AVC events seen during interval
total number of FANOTIFY events seen during interval
total number of successful login events seen during interval
total number of failed login events seen during interval
total number of anamoly events seen during interval
total number of anamoly response events seen during interval

/etc/audit/audisp-statsd.conf /etc/audit/plugins/au-statsd.conf

auditd.conf(8), auditd-plugins(5).

Steve Grubb

June 2025 Red Hat