Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: missing sport and dport from NETFILTER_PKT audit log #162

Open
mvasi90 opened this issue Jun 20, 2024 · 1 comment
Open

RFE: missing sport and dport from NETFILTER_PKT audit log #162

mvasi90 opened this issue Jun 20, 2024 · 1 comment
Labels
enhancement

Comments

@mvasi90
Copy link

mvasi90 commented Jun 20, 2024
edited
Loading

nft log level audit writes the messages into the audit buffer for reading with ausearch.

I want to use it instead of journalctl, but it is very limited. Only shows saddr,daddr and proto:

ausearch -i -m netfilter_pkt
type=NETFILTER_PKT msg=audit(06/20/2024 15:49:52.819:576) : mark=0x0 saddr=<ip> daddr=<ip> proto=tcp 
----
type=NETFILTER_PKT msg=audit(06/20/2024 15:49:56.452:577) : mark=0x0 saddr=<ip> daddr=<ip> proto=tcp 
...

dpt and spt is needed.
For the output packets the sid and gid is needed.

I can't believe I'm the only one who has this need. No one else has reported it?
@pcmoore pcmoore changed the title Missing sport and dport from NETFILTER_PKT audit log RFE: missing sport and dport from NETFILTER_PKT audit log Jun 20, 2024
@pcmoore
Copy link
Contributor

pcmoore commented Jun 20, 2024

No one else has reported it?

I don't believe so, but I could be wrong. If you are interested in this new functionality, patches are always welcome upstream.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pcmoore @mvasi90