In a distributed world, monitoring system calls with kauditd can present challenges. In this talk we will address some of those challenges and give a use case of how we build an event pipeline for monitoring file system events.
With the rise of containers and generic container based operating systems we find ourselves with a large quantity of nodes that do general compute tasks. These nodes produce a large volume of audit data that we can leverage for many tasks. In our use case we wanted a way to monitor all file system changes in ways that we could not do with the existing libraries or tools. In this talk we will describe how we chose to use audit log system to monitor file system changes, how we built our system to scale and the pros and cons we have found from our solution. We will also talk about possible future work with respect to security and execution monitoring.