Re: auparse_feed callback on EOE record

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Tarun Ramesh <tramesh@acalvio.com>
Subject: Re: auparse_feed callback on EOE record
Date: Tue, 11 Jun 2019 12:19:05 -0400	[thread overview]
Message-ID: <4766346.QBaMZih7XG@x2> (raw)
In-Reply-To: <CAFQMB-USapCi=pV8ZNkNwTAYZ0FuVKaMKKQvK4y19RUmL90zhA@mail.gmail.com>

On Tuesday, June 11, 2019 2:56:23 AM EDT Tarun Ramesh wrote:
> The callback function on_audit_event() just goes through the records one by
> one and prints the fields and values. I have added a rule to watch for
> file edits in the /home folder. I see the records for file creation in
> this folder being received, however it looks like the callback function is
> not being called when an EOE record is received. Please let me know if I'm
> missing something.

As long as the format exactly matched how auditd creates the record, cursory 
glance appears ok, then the records get grouped inside auparse to form a 
complete event. When the event is determined to be complete, it is passed to 
the registered callback function. You need to iterate over the individual 
records to see the whole event. 

So, you do not get a callback on an individual record, you are called back on 
a complete event. The EOE record should be the last record. You can use 
auparse_next_record() to iterate across records.

-Steve

next prev parent reply	other threads:[~2019-06-11 16:19 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-11  6:56 auparse_feed callback on EOE record Tarun Ramesh
2019-06-11 16:19 ` Steve Grubb [this message]
2019-06-12  7:05   ` Tarun Ramesh
2019-06-15 18:28     ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4766346.QBaMZih7XG@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=tramesh@acalvio.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox