HostChange
HostChange collector monitors various configuration changes on Linux hosts, builds change event data, and reports it to the Guance platform.
Note: This collector only supports Linux operating systems and does not support Windows systems.
Feature Description¶
The HostChange collector supports the following change detection features:
| Feature Module | Description |
|---|---|
| User and Group Changes | Monitor /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow files to detect user and group creation, deletion, attribute modifications, and membership changes |
| Crontab Changes | Monitor /etc/crontab, /etc/cron.d/*, /var/spool/cron/crontabs/* files to detect scheduled task changes |
| File Content Changes | Monitor content changes of specified files with diff comparison support |
| Service Changes | Monitor systemd or sysvinit service creation, deletion, attribute modifications, and status changes |
| Network Configuration Changes | Monitor network interface, DNS configuration, routing configuration, and firewall rule changes |
Configuration¶
Navigate to the conf.d/samples directory under the DataKit installation directory, copy host_change.conf.sample and rename it to host_change.conf. An example is as follows:
[[inputs.host_change]]
## Interval between collections
interval = "1m"
## Enable user and group change detection
[inputs.host_change.user_group]
## Whether to enable user and group change detection
enabled = true
## Crontab change detection configuration
# Collect files from /etc/crontab, /etc/cron.d/*, /var/spool/cron/crontabs/*
[inputs.host_change.crontab]
## Whether to enable crontab change detection
enabled = true
## File change detection configuration
[inputs.host_change.file]
## Whether to enable file change detection
enabled = false
## Files to monitor for changes
# Notes:
# 1. Only regular files are supported, directories are not allowed
# 2. All paths must be absolute paths
files = [
# "/etc/passwd",
# "/etc/group",
# "/etc/sudoers"
]
## Files larger than this size will not compare full content.
## Default value: 262144 bytes (256KB)
max_file_size = 262144
## Paths to ignore when monitoring file changes
ignore_paths = [
# "/etc/ssh/sshd_config.d/*",
# "/tmp/",
# "*.tmp"
]
## Service change detection configuration
[inputs.host_change.service]
## Whether to enable service change detection
enabled = true
## Service types to monitor (systemd, sysvinit)
# If empty, all service types will be monitored and systemd is preferred when both are available
service_types = ["systemd"]
## Services to ignore (service names without .service suffix, supports regex)
ignore_services = []
## Services to include (service names without .service suffix, supports regex)
# If not empty, only services matching these patterns will be monitored
# include_services = []
## Network configuration change detection configuration
[inputs.host_change.network]
## Whether to enable network configuration change detection
enabled = true
## Interfaces to ignore (interface names, supports wildcard)
ignore_interfaces = [
# "lo",
# "docker*",
# "veth*"
]
[inputs.host_change.tags]
# some_tag = "some_value"
# more_tag = "some_other_value"
After configuration, restart DataKit to apply the changes.
Currently, you can enable the collector by injecting collector configuration through ConfigMap.
Change Events¶
All data collection will append a global tag named host (with the value being the hostname where DataKit is located). You can also specify other tags in the configuration via [inputs.host_change.tags]:
Event Field Description¶
Change Event¶
| Tags & Fields | Description |
|---|---|
| change_id ( tag) |
Unique identifier for the user or group change event. |
| df_event_id ( tag) |
Event ID. |
| df_message ( tag) |
Event message. |
| df_source ( tag) |
Source name. |
| df_status ( tag) |
Event status. |
| df_sub_status ( tag) |
Event detail status. |
| df_title ( tag) |
Event title. |
| host ( tag) |
System hostname. |
| change_time_us | Timestamp of the change event in microseconds. Type: int | (count) Unit: timeStamp,usec |
Change Event Types¶
- User and Group Change Events
| Change ID | Description |
|---|---|
host_change_01_01 |
Create user |
host_change_01_02 |
Delete user |
host_change_01_03 |
Modify user attributes |
host_change_01_04 |
Create group |
host_change_01_05 |
Delete group |
host_change_01_06 |
Modify group attributes |
host_change_01_07 |
Add user to group |
host_change_01_08 |
Remove user from group |
- Crontab Change Events
| Change ID | Description |
|---|---|
host_change_02_01 |
Crontab task change |
- File Change Events
| Change ID | Description |
|---|---|
host_change_03_01 |
File content change |
- Service Change Events
| Change ID | Description |
|---|---|
host_change_04_01 |
Create service |
host_change_04_02 |
Delete service |
host_change_04_03 |
Modify service |
host_change_04_04 |
Service status change |
- Network Configuration Change Events
| Change ID | Description |
|---|---|
host_change_05_01 |
Network interface change |
host_change_05_02 |
DNS configuration change |
host_change_05_03 |
Routing configuration change |
host_change_05_04 |
Firewall rule change |