Re: Send a message to audit.log

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Wajih Ul Hassan <wajih.lums@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: Send a message to audit.log
Date: Sat, 2 Feb 2019 11:36:04 +0100	[thread overview]
Message-ID: <20190202113604.3eee8a66@ivy-bridge> (raw)
In-Reply-To: <CAH5sRbrFwacgC9Hef_+CCFTctxiUU3tJd0b9cHKWQWWPurCRQQ@mail.gmail.com>

On Fri, 1 Feb 2019 17:03:49 -0600
Wajih Ul Hassan <wajih.lums@gmail.com> wrote:

> Hi,
> Hi, I have a C application which needs to send a message to audit.log
> from userspace. I have been using `auditctl -m` format to send a
> message to audit.log using `system` command but it seems to degrade
> performance a lot of my application.
> My question is there any API to send a message programmatically from
> my application which is more efficient and robust.

Burn had some good advice. But if you really want to send an audit
event, then you might look at the general advice here:

https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events

First, you need to pick an event type. If its purely for your app, then
AUDIT_TRUSTED_APP is for you. Then you need to find the right logging
function for your event. I'd suggest looking at the available functions
at the bottom of /usr/include/libaudit.h. Probably
audit_log_user_message is your logging API unless its an account or
command message.

-Steve

     prev parent reply	other threads:[~2019-02-02 10:36 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-01 23:03 Send a message to audit.log Wajih Ul Hassan
2019-02-02  3:37 ` Burn Alting
2019-02-02 10:36 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190202113604.3eee8a66@ivy-bridge \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=wajih.lums@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox