auditd syslog builtin plugin

auditd syslog builtin plugin

[cosmih]

Hi,


I am trying to make the builtin syslog audisp plugin to use a custom
facility/priority pair for the syslog messages exported to the syslog
daemon. For that I am using  the patch and the conf from below.
The problem is that the compile and the start process don't give any
errors when I am using the below customization but the syslog daemon
receive the messages from the audisp with the default facility
(LOG_USER). So I need a littel help here.

I would appreciate any help.

Thanks,

--
Cosmih


============================================================
/etc/audisp/plugins.d/syslog.conf

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_ALERT LOG_KERN
format = string
============================================================



============================================================
diff -ur audit-2.0.4/audisp/audispd-builtins.c
audit-2.0.4-new/audisp/audispd-builtins.c
--- audit-2.0.4/audisp/audispd-builtins.c	2009-12-07 23:16:41.000000000 +0200
+++ audit-2.0.4-new/audisp/audispd-builtins.c	2010-05-25
16:56:18.000000000 +0300
@@ -37,7 +37,7 @@

 // Local data
 static volatile int sock = -1, conn = -1;
-static int syslog_started = 0, priority;
+static int syslog_started = 0, priority, facility;
 static char *path = NULL;

 // Local prototypes
@@ -278,8 +278,25 @@
 			syslog_started = 0;
 			return;
 		}
-	} else
+	} else {
 		priority = LOG_INFO;
+	}
+	if (conf->args[2]) {
+		if (strcasecmp(conf->args[2], "LOG_USER") == 0)
+			facility = LOG_USER
+		else if (strcasecmp(conf->args[2], "LOG_DAEMON") == 0)
+			facility = LOG_DAEMON;
+		else if (strcasecmp(conf->args[2], "LOG_KERN") == 0)
+			facility = LOG_KERN;
+		else {
+			syslog(LOG_ERR, "Unknown log priority %s",
+				conf->args[2]);
+			syslog_started = 0;
+			return;
+		}
+	else {
+		facility = LOG_KERN;
+	}
 	syslog_started = 1;
 	syslog(LOG_INFO, "syslog plugin initialized");
 }
@@ -287,7 +304,7 @@
 void send_syslog(const char *s)
 {
 	if (syslog_started)
-		syslog(priority, "%s", s);
+		syslog(facility|priority, "%s", s);
 }

 void destroy_syslog(void)
============================================================

Re: auditd syslog builtin plugin

[Steve Grubb]

On Tuesday 25 May 2010 10:10:29 am cosmih wrote:
> The problem is that the compile and the start process don't give any
> errors when I am using the below customization but the syslog daemon
> receive the messages from the audisp with the default facility
> (LOG_USER). So I need a littel help here.

You probably need a call to openlog(3) right after figuring out the logging 
options.

-Steve

Re: auditd syslog builtin plugin

[cosmih]

Hi Steve,

I am not a C programmer. Could you be so kind to give me a little more
details about this ?


Thanks,

--
Cosmih

On Tue, May 25, 2010 at 6:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Tuesday 25 May 2010 10:10:29 am cosmih wrote:
>> The problem is that the compile and the start process don't give any
>> errors when I am using the below customization but the syslog daemon
>> receive the messages from the audisp with the default facility
>> (LOG_USER). So I need a littel help here.
>
> You probably need a call to openlog(3) right after figuring out the logging
> options.
>
> -Steve
>