From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Events per System Call Date: Mon, 16 Aug 2010 21:13:54 -0400 Message-ID: <201008162113.54628.sgrubb@redhat.com> References: <201008162046.12888.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Basim Baig Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, August 16, 2010 08:49:48 pm Basim Baig wrote: > If i am taking my data stream through the af_unix socket built-in plugin > then will i get the audit_eoe event? For an audispd plugin, you would need to set the format parameter to binary. See the sample conf file: https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.conf or the audisp man page for discussion on each parameter's values. > Do i have to setup some special rule to get this event or is it there by default > in the af_unix plugin stream? The default is to turn things into strings so that they can be used by the auparse library. But the binary setting means you are willing to follow all the rules and do it yourself however painful that may be. :) I think they are here: http://people.redhat.com/sgrubb/audit/audit-rt-events.txt You can probably use the same code as this: https://fedorahosted.org/audit/browser/trunk/contrib/skeleton.c to write your plugin. -Steve