auparse with AUSOURCE_DESCRIPTOR

Satish Chandra Kilaru iam.kilaru at gmail.com
Thu Jul 30 14:16:53 UTC 2015


Never mind... I found out why it was not working...

1. auparse_next_event() does not call callback function. I have to call
that function when auparse_next_event() returns.
2. it expects events in string format. I configured the plugin to send
events in binary format. hence auparse_next_event() was not returning..
3. auparse_next_event() returns only when the parser sees the beginning of
the next event.. i.e first event is returned after seeing the beginning of
the 2nd event. Is this expected?

--Satish

On Wed, Jul 29, 2015 at 4:36 PM, Satish Chandra Kilaru <iam.kilaru at gmail.com
> wrote:

> Has anyone tried AUSOURCE_DESCRIPTOR with a unix socket as fd?
>
> I am doing the following.
>
> int sd_u = socket(AF_UNIX, SOCK_STREAM, 0);
> connect(sd_u, (struct sockaddr *) &sa, sizeof(sa))!=0)
> auparse_state_t *au = auparse_init(AUSOURCE_DESCRIPTOR, (const void
> *)sd_u);
> auparse_add_callback(au, auparse_callback, event_cnt, free);
> ausearch_next_event(au);
>
> My auparse_callback() is not getting called. My program just blocks in
> ausearch_next_event().
>
> read(sd_u, buf, sizeof(buf)) gets me events... That means I am using
> correct unix socket.
> How do I make the callback function to get called for each event?
>
> Am I missing something here?
>
> Thanks in advance.
> --Satish
> --
> Please Donate to www.wikipedia.org
>



-- 
Please Donate to www.wikipedia.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150730/9ef787f4/attachment.htm>


More information about the Linux-audit mailing list