From mboxrd@z Thu Jan  1 00:00:00 1970
From: dump@tzib.net
Subject: auparse, stdin, and AUPARSE_CB_EVENT_READY
Date: Mon, 05 Mar 2012 16:23:32 -0800
Message-ID: <4F555904.8000603@tzib.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com
	[10.5.110.19])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q260O1M8016222
	for <linux-audit@redhat.com>; Mon, 5 Mar 2012 19:24:01 -0500
Received: from insecure.ws (insecure.ws [82.231.161.45])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q260O0tn015393
	for <linux-audit@redhat.com>; Mon, 5 Mar 2012 19:24:00 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by insecure.ws (Postfix) with ESMTP id 4DB565C071E
	for <linux-audit@redhat.com>; Tue,  6 Mar 2012 01:23:58 +0100 (CET)
Received: from insecure.ws ([127.0.0.1])
	by localhost (insecure.ws [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id NtE3sBzplbsN for <linux-audit@redhat.com>;
	Tue,  6 Mar 2012 01:23:57 +0100 (CET)
Received: from [10.251.26.230] (mozilla.vlan426.asr1.sfo1.gblx.net
	[159.63.23.38])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by insecure.ws (Postfix) with ESMTPSA id 483155C0630
	for <linux-audit@redhat.com>; Tue,  6 Mar 2012 01:23:57 +0100 (CET)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi,

I made a audispd plugin, which reads from stdin and sends the strings to
auparse_feed() (auditd-2.1.3).


This works fine on the command line.

When called from audispd however, it gives AUPARSE_CB_EVENT_READY for
each single message, instead of after a complete event has been parsed.

So when you have 4 messages for one event:
- each of them appear as a single event when the plugin is started via
audispd.
- a single even for all 4 messages appear when the plugin is started on
the command line (and the log data fed via stdin, like cat test |
audispd-testplugin)

Looking at the write code it looks ok (audisp/audispd.c):

static int write_to_plugin(event_t *e, const char *string, size_t
string_len,
.. (note that i'm using string type so its the string code part)
if (conf->p->format == F_STRING) {
do {
rc = write(conf->p->plug_pipe[1], string, string_len);
} while (rc < 0 && errno == EINTR);
}

Do you know what causes this behavior, and/or how to "fix" it?


Thanks