Auditd Webhook: Real-Time Linux Audit Events Over HTTP
A simple way to stream audit logs into modern systems — without parsing files manually
What is Auditd Webhook?
It’s a lightweight bridge between Linux’s audit subsystem and external services. Instead of tailing /var/log/audit/audit.log and writing brittle parsers, Auditd Webhook sends events as JSON over HTTP — in real time.
It’s built for engineers who want to plug Linux audit data into modern monitoring, alerting, or SIEM stacks — without building a whole pipeline from scratch. Think of it as an event-forwarder, not a log collector.
Let’s say you’re tracking sensitive file access. Or command executions. Or permission changes.
Auditd can log all of that — but it’s noisy, and the logs aren’t structured.
You want to forward just the useful parts, as JSON, to a webhook. Maybe Splunk. Maybe a custom tool.
That’s where Auditd Webhook fits. It listens on the audit netlink socket and transforms the chaos into clean, structured HTTP payloads.
Where It’s Being Used
– Feeding Linux audit events into Elasticsearch, Splunk, Loki, or OpenSearch.
– Security teams building minimal SIEM or threat detection pipelines.
– Alerting on sudo usage, failed auth attempts, and sensitive syscalls in real time.
– Serverless log ingestion setups — no sidecar needed, just a listener.
Key Characteristics
| Feature | Why It’s Useful |
| Real-Time Webhook Output | Converts audit events into JSON and pushes them via POST |
| Configurable Filters | Define rules for which events to include — drop the noise, keep the signal |
| No Log File Parsing | Reads directly from netlink — nothing touches audit.log |
| Small Footprint | Go binary, fast startup, low CPU/RAM — fits on any server |
| Systemd-Friendly | Ships with unit file, handles permissions cleanly |
| Simple Config Format | YAML-based; define endpoints, secrets, selectors |
| Built-In Retry Logic | Handles webhook failures with backoff and retries |
| Supports HTTPS and Headers | Integrates cleanly with most cloud services, ELBs, API gateways |
| Optional Buffering | Prevents overload during high event rates |
| Open Source | MIT licensed, hackable and transparent |
What You Actually Need
– Linux system with auditd enabled
– A destination endpoint (HTTP server, API, collector, etc.)
– Root access to bind to audit netlink
To install:
curl -L https://github.com/elastic/auditd-webhook/releases/latest/download/auditd-webhook-linux-amd64 -o /usr/local/bin/auditd-webhook
chmod +x /usr/local/bin/auditd-webhook
Example systemd service:
[Unit]
Description=Auditd Webhook Forwarder
After=network.target auditd.service
[Service]
ExecStart=/usr/local/bin/auditd-webhook -config /etc/auditd-webhook.yaml
Restart=on-failure
User=root
[Install]
WantedBy=multi-user.target
Example config (/etc/auditd-webhook.yaml):
webhook:
url: https://logs.example.com/audit
headers:
Authorization: Bearer TOKEN123
filters:
– match: “syscall=execve”
– match: “uid=0”
What Users Actually Say
“It gave us audit visibility in Loki with zero effort. Logs became events.”
“We stopped writing our own audit parsers. This did the job better.”
“No agents, no sidecars — just one binary pushing data where it needs to go.”
One Thing to Keep in Mind
Auditd Webhook isn’t a full SIEM. It doesn’t analyze. It doesn’t store. It just forwards.
But if what’s needed is a clean, structured stream of audit events — with filters, retries, and HTTP — this tool is about as simple and effective as it gets.
