Send a message to audit.log

Send a message to audit.log

[Wajih Ul Hassan]

[-- Attachment #1.1: Type: text/plain, Size: 378 bytes --]

Hi,
Hi, I have a C application which needs to send a message to audit.log from
userspace. I have been using `auditctl -m` format to send a message to
audit.log using `system` command but it seems to degrade performance a lot
of my application.
My question is there any API to send a message programmatically from my
application which is more efficient and robust.
Thanks,
Wajih

[-- Attachment #1.2: Type: text/html, Size: 685 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Send a message to audit.log

[Burn Alting]

[-- Attachment #1.1: Type: text/plain, Size: 1152 bytes --]

Wajih,
Try 	man audit_log_user_messageand note the need for CAP_AUDIT_WRITE ability (see
auditctl(8))
That said. Is there a reason you want a message going into the system kernel logging
mechanism? The only reason why I ask is, if your audit rules posture is aggressive
(many rules that fire) then you could will slow down your application as it waits to
insert a message into the NETLINK_SOCKET is uses.
On *nix, syslog is the normal destination for application event logs. By separating
your application logs from operating system logs, you can more efficiently post
process them.
RegardsOn Fri, 2019-02-01 at 17:03 -0600, Wajih Ul Hassan wrote:
> Hi,
> Hi, I have a C application which needs to send a message to audit.log from
> userspace. I have been using `auditctl -m` format to send a message to audit.log
> using `system` command but it seems to degrade performance a lot of my
> application.
> My question is there any API to send a message programmatically from my
> application which is more efficient and robust.
> Thanks,
> Wajih
> 
> --Linux-audit mailing listLinux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

[-- Attachment #1.2: Type: text/html, Size: 1940 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Send a message to audit.log

[Steve Grubb]

On Fri, 1 Feb 2019 17:03:49 -0600
Wajih Ul Hassan <wajih.lums@gmail.com> wrote:

> Hi,
> Hi, I have a C application which needs to send a message to audit.log
> from userspace. I have been using `auditctl -m` format to send a
> message to audit.log using `system` command but it seems to degrade
> performance a lot of my application.
> My question is there any API to send a message programmatically from
> my application which is more efficient and robust.

Burn had some good advice. But if you really want to send an audit
event, then you might look at the general advice here:

https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events

First, you need to pick an event type. If its purely for your app, then
AUDIT_TRUSTED_APP is for you. Then you need to find the right logging
function for your event. I'd suggest looking at the available functions
at the bottom of /usr/include/libaudit.h. Probably
audit_log_user_message is your logging API unless its an account or
command message.

-Steve