Realtime parsing with Auparse
Steve Grubb
sgrubb at redhat.com
Tue Nov 18 16:38:59 UTC 2014
On Tuesday, November 18, 2014 02:37:38 PM Wouter van Verre wrote:
> Hi all,
>
> I am looking to do some real time parsing with audit. After some testing I
> figured it would be easier to the parsing in a plugin on the local machine
> and then send the parsed data to a remote machine for storage.
>
> After reading the audit-parse.txt document I am not quite sure how to
> proceed. Given that the plugin will receive data on stdin, how would I go
> about setting the auparse library up (for example, what ausource_t should I
> specify to initialise the auparse_state_t object) to enable real time
> parsing?
There is an example plugin in the source distribution. You can see it here:
https://fedorahosted.org/audit/browser/trunk/contrib/plugin
The plugin provides a code skeleton and demonstration of how to move around
the events / records / fields. Other examples would be the prelude-plugin and
aulast utility.
-Steve
More information about the Linux-audit
mailing list