[Feature Request] Push-delivery of audit events

[iBigQ]

I understand the abstraction layer with SQL and like that you stay with it. I am not quite sure about details of your current zeek-agent implementation, so please comment if I am wrong.

I assume that you similar to osquery have some kind of tables that are fed with data asynchronously from audit. Furthermore, queries are executed on a regular basis to retrieve new table results and to forward them to Zeek every X seconds. For the purpose of real-time correlation of the host and network data in Zeek, it might be reasonable to get the host data into Zeek as soon as possible, i.e., as available through audit. However, there might be a delay until forwarding these data (up to X seconds).

Thus, what about treating the SQL queries as a filter for asynchronously recorded audit calls? Not sure about the implementation, but from a concept point of view this can be quite similar to first writing to a table and than match table entries against a query. Instead, we could directly match individual entries (at the time they come in from audit) against the SQL queries and forward applicable events immediately to Zeek.