Realtime parsing with Auparse

Realtime parsing with Auparse

[Wouter van Verre]

Hi all,

I am looking to do some real time parsing with audit. After some testing I figured it would be easier to the parsing in a plugin on the local machine and then send the parsed data to a remote machine for storage.

After reading the audit-parse.txt document I am not quite sure how to proceed. Given that the plugin will receive data on stdin, how would I go about setting the auparse library up (for example, what ausource_t should I specify to initialise the auparse_state_t object) to enable real time parsing?


Many thanks,

Wouter 		 	   		  

Re: Realtime parsing with Auparse

[Steve Grubb]

On Tuesday, November 18, 2014 02:37:38 PM Wouter van Verre wrote:
> Hi all,
> 
> I am looking to do some real time parsing with audit. After some testing I
> figured it would be easier to the parsing in a plugin on the local machine
> and then send the parsed data to a remote machine for storage.
> 
> After reading the audit-parse.txt document I am not quite sure how to
> proceed. Given that the plugin will receive data on stdin, how would I go
> about setting the auparse library up (for example, what ausource_t should I
> specify to initialise the auparse_state_t object) to enable real time
> parsing?

There is an example plugin in the source distribution. You can see it here:

https://fedorahosted.org/audit/browser/trunk/contrib/plugin

The plugin provides a code skeleton and demonstration of how to move around 
the events / records / fields. Other examples would be the prelude-plugin and 
aulast utility.

-Steve