// the find
set-element/auditdBroFramework
The Auditd Framework logs and applies security policy to linux auditd data
A C-based log normalizer for Linux auditd output, intended to make raw audit logs machine-parsable for downstream processing (originally into the Bro/Zeek IDS). The framework is a small pipeline: auditd config files feed the kernel audit subsystem, a C normalizer parses the output, and Bro policy consumes the structured result. Aimed at security engineers building SIEM pipelines on Linux.
The C normalizer is a real improvement over the abandoned Python predecessor — no memory leaks from the audit-libs-python mess. Includes working sample audit.rules and auditd.conf which saves meaningful setup time for anyone starting from scratch. The separation of concerns between config, normalizer, and policy is clean for what it is.
Abandoned since January 2018 — eight years dead. The Bro policy was already split off to another repo before this one was archived, so the integration story is incomplete and that other repo may also be gone. The README openly documents a memory-leaking deprecated Python version still sitting in the tree, which is not a confidence builder. No tests, no CI, no build instructions beyond a Makefile, and the docs folder contains SVN metadata — this was never production-hardened.