audit-kernel icon indicating copy to clipboard operation
audit-kernel copied to clipboard
verified publisher icon linux-audit

RFE: missing sport and dport from NETFILTER_PKT audit log

Open mvasi90 opened this issue 1 year ago • 1 comments

nft log level audit writes the messages into the audit buffer for reading with ausearch.

I want to use it instead of journalctl, but it is very limited. Only shows saddr,daddr and proto:

ausearch -i -m netfilter_pkt
type=NETFILTER_PKT msg=audit(06/20/2024 15:49:52.819:576) : mark=0x0 saddr=<ip> daddr=<ip> proto=tcp 
----
type=NETFILTER_PKT msg=audit(06/20/2024 15:49:56.452:577) : mark=0x0 saddr=<ip> daddr=<ip> proto=tcp 
...

dpt and spt is needed. For the output packets the sid and gid is needed.

I can't believe I'm the only one who has this need. No one else has reported it?

mvasi90 avatar Jun 20 '24 14:06 mvasi90

No one else has reported it?

I don't believe so, but I could be wrong. If you are interested in this new functionality, patches are always welcome upstream.

pcmoore avatar Jun 20 '24 14:06 pcmoore

@mvasi90, kernel patch submitted upstream [1].

[1] https://lore.kernel.org/audit/[email protected]/T/#u

rprobaina avatar Sep 22 '25 22:09 rprobaina