auparse_feed callback on EOE record
Tarun Ramesh
tramesh at acalvio.com
Wed Jun 12 07:05:40 UTC 2019
Hi Steve,
Thanks for the reply. I compared the record string I was passing to
auparse_feed() against the example string in auparse/test/auparse_test.c
(in audit-userspace git repo).
Looks like I needed to prepend "msg=" before the audit message and pass the
exact length of the record string to auparse_feed().
Changing the lines in to the code to:
snprintf(record_buffer, (record_buffer_len - 1), "type=%s msg=%.*s\n",
type_name, reply.len, reply.message);
auparse_feed(au, record_buffer, strlen(record_buffer));
worked.
Also I noticed that the EOE record is treated as its own event even though
there were other records with the same audit serial number. I guess this is
expected as after EOE there will be no more records for this event and if
EOE was treated as a part of the previous event, then it will not be
possible to tell when this event is complete.
Thanks for the help,
Tarun
On Tue, Jun 11, 2019 at 9:49 PM Steve Grubb <sgrubb at redhat.com> wrote:
> On Tuesday, June 11, 2019 2:56:23 AM EDT Tarun Ramesh wrote:
> > The callback function on_audit_event() just goes through the records one
> by
> > one and prints the fields and values. I have added a rule to watch for
> > file edits in the /home folder. I see the records for file creation in
> > this folder being received, however it looks like the callback function
> is
> > not being called when an EOE record is received. Please let me know if
> I'm
> > missing something.
>
> As long as the format exactly matched how auditd creates the record,
> cursory
> glance appears ok, then the records get grouped inside auparse to form a
> complete event. When the event is determined to be complete, it is passed
> to
> the registered callback function. You need to iterate over the individual
> records to see the whole event.
>
> So, you do not get a callback on an individual record, you are called back
> on
> a complete event. The EOE record should be the last record. You can use
> auparse_next_record() to iterate across records.
>
> -Steve
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20190612/de9c2dd0/attachment.htm>
More information about the Linux-audit
mailing list