Many VQL plugins and functions provide access to the Linux APIs. The following are only available when running on Linux.
Register as an audit daemon in the kernel.
On Linux the audit subsystem provides real time information about kernel auditable events. This plugin registers as a consumer and returns parsed events as rows.
You should configure the audit subsystem using the
binary before using this plugin.