CoursesAdvanced Linux securityDetection engineering

The audit pipeline

Collect, normalize, and where it belongs.

Advanced14 min · lesson 9 of 17

Detecting everything above requires visibility, and visibility is a pipeline problem: collecting the right events on each host, normalizing them into a consistent shape, and getting them somewhere safe to search — all without drowning in volume or cost. The foundation is the audit data the previous course produced (auditd rules) plus richer sources you will add (eBPF, osquery), and the architecture decision is where each stage of collection, filtering, and analysis belongs.

The detection pipeline
1collect
auditd, eBPF, osquery on the host
2filter + normalize
at the edge — before shipping
3ship
off-host to central store
4detect + hunt
rules + queries in a SIEM
Filter and normalize at the host edge, not after ingest — every raw record you do not ship is money and noise saved.

Filter at the edge, not after ingest

The single most important cost-and-signal decision is where you filter. Shipping every raw event to a SIEM and filtering there is how security teams get six-figure ingest bills and drown in noise. Instead, drop the known-benign high-volume events at the host or a nearby aggregator before they are shipped, and normalize the rest into a consistent schema so detections are simple to write. Every raw auditd record you choose not to ship is money saved and one less thing burying the event that matters.

Ship off-host, because local logs lie

The recurring theme of this course — a compromised host’s local data cannot be trusted — makes off-host shipping non-negotiable for security telemetry. Events must reach a central store the attacker on that host cannot reach or edit, ideally in near-real-time so the record exists before an intruder thinks to cover their tracks. This is also what lets you correlate across the fleet (the same technique appearing on three hosts) and investigate a host that has since been wiped or is untrustworthy. The pipeline’s destination is a source of truth outside the blast radius.

terminal
# ship audit events off-host in near-real-time (audisp/rsyslog/vector → central store)
# /etc/audit/plugins.d/au-remote.conf or a forwarder like Vector/Fluent Bit:
# - read auditd + journald + eBPF events
# - drop known-benign high-volume noise HERE (at the edge)
# - normalize to a common schema, then forward to the SIEM/data lake
Telemetry that stays on the host is telemetry the attacker controls
The whole point of a detection pipeline is that the evidence survives the compromise — so if your audit logs only live on the host that got popped, you have optimized for the one scenario where they are worthless. Ship security-relevant events off-box promptly, protect the central store’s integrity, and treat local-only logging as a gap. And filter at the edge: an unaffordable SIEM gets its retention cut, and short retention is how you fail to investigate the breach you discover two months late.