Re: Events per System Call

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Basim Baig <basimbaig@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: Events per System Call
Date: Mon, 16 Aug 2010 21:13:54 -0400	[thread overview]
Message-ID: <201008162113.54628.sgrubb@redhat.com> (raw)
In-Reply-To: <AANLkTinZzyKmv3GGhUTqy83vxLQCvnX=_ewLS+k81xeA@mail.gmail.com>

On Monday, August 16, 2010 08:49:48 pm Basim Baig wrote:
> If i am taking my data stream through the af_unix socket built-in plugin
> then will i get the audit_eoe event?

For an audispd plugin, you would need to set the format parameter to binary.
See the sample conf file:

https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.conf

or the audisp man page for discussion on each parameter's values.

> Do i have to setup some special rule to get this event or is it there by default
> in the af_unix plugin stream?

The default is to turn things into strings so that they can be used by the
auparse library. But the binary setting means you are willing to follow all
the rules and do it yourself however painful that may be. :)  I think they
are here:

http://people.redhat.com/sgrubb/audit/audit-rt-events.txt

You can probably use the same code as this:

https://fedorahosted.org/audit/browser/trunk/contrib/skeleton.c

to write your plugin.

-Steve

next prev parent reply	other threads:[~2010-08-17  1:13 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-08-16 21:38 Events per System Call Basim Baig
2010-08-17  0:46 ` Steve Grubb
2010-08-17  0:49   ` Basim Baig
2010-08-17  1:13     ` Steve Grubb [this message]
2010-08-17  1:18       ` Steve Grubb
2010-08-17  2:56         ` Basim Baig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201008162113.54628.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=basimbaig@gmail.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox