From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Troubleshooting Custom audispd Plugin
Date: Fri, 07 Sep 2018 08:57:02 -0400 [thread overview]
Message-ID: <1829734.4gin0Gxk11@x2> (raw)
In-Reply-To: <CACva_gGDrgNRefZUKsOgTykZ08Yq-OUPVdEKJ37_Y3ZResY+Lg@mail.gmail.com>
On Friday, September 7, 2018 7:30:09 AM EDT Osama Elnaggar wrote:
> Hi,
>
> I'm working on a custom audispd plugin written in Python 3. It’s a work in
> progress and I’ve successfully run it numerous times as an audispd plugin.
> However, I sometimes make modifications that result in the audispd plugin
> failing and I end up with the following in /var/log/syslog
>
> Sep 6 20:52:05 ubuntu-hypervisor audispd: plugin /usr/bin/python3
> terminated unexpectedly
> Sep 6 20:52:05 ubuntu-hypervisor audispd: plugin /usr/bin/python3 was
> restarted
> ...
>
> This is repeated several times until audispd gives up and I see the
> following message:
>
> Sep 6 20:52:14 ubuntu-hypervisor audispd: plugin /usr/bin/python3 has
> exceeded max_restarts
>
> To troubleshoot, I modify my code to read from /var/log/audit/audit.log
> instead. I modify a single line (with fileinput.input() to read from
> myfile as shown in the commented line below).
>
> Here is the code snippet (a colorized easier to read version is available
> here - https://pastebin.com/84Nxu3Rp):
>
> # let us initialize the AuParser
> aup = auparse.AuParser(auparse.AUSOURCE_FEED)
>
> # we initalize the callback to be fn_process_event
> aup.add_callback(fn_process_event, None, None)
>
> myfile = "/var/log/audit/audit.log"
>
> while True:
> try:
> # we read in line by line from stdin
> for line in fileinput.input():
> #for line in fileinput.input(myfile):
> aup.feed(line)
> except:
> logger.error("Fatal error in while loop", exc_info=True)
>
> # we flush the feed when we quit
> aup.flush_feed()
>
> Any suggestions on how to troubleshoot these types of issues when reading
> from a file works fine without issue but running it as a plugin fails as
> shown in /var/log/syslog? Thanks.
All plugins have a requirement to take events from stdin. As long as it
expects strings (which is the way that auparse wants them), then all you have
to do is:
ausearch --start boot --raw | ./plugin
You can also save raw logs with ausearch and cat them into the plugin. This
is helpful when you get a problem down to a certain series of events and you
don't want to go through a thousand events before the problem sequence.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2018-09-07 12:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-07 11:30 Troubleshooting Custom audispd Plugin Osama Elnaggar
2018-09-07 12:57 ` Steve Grubb [this message]
2018-09-07 13:19 ` Osama Elnaggar
2018-09-07 13:42 ` Steve Grubb
2018-09-07 20:18 ` Osama Elnaggar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1829734.4gin0Gxk11@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.