From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Send a message to audit.log Date: Sat, 2 Feb 2019 11:36:04 +0100 Message-ID: <20190202113604.3eee8a66@ivy-bridge> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Wajih Ul Hassan Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Fri, 1 Feb 2019 17:03:49 -0600 Wajih Ul Hassan wrote: > Hi, > Hi, I have a C application which needs to send a message to audit.log > from userspace. I have been using `auditctl -m` format to send a > message to audit.log using `system` command but it seems to degrade > performance a lot of my application. > My question is there any API to send a message programmatically from > my application which is more efficient and robust. Burn had some good advice. But if you really want to send an audit event, then you might look at the general advice here: https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events First, you need to pick an event type. If its purely for your app, then AUDIT_TRUSTED_APP is for you. Then you need to find the right logging function for your event. I'd suggest looking at the available functions at the bottom of /usr/include/libaudit.h. Probably audit_log_user_message is your logging API unless its an account or command message. -Steve