From mboxrd@z Thu Jan  1 00:00:00 1970
From: Burn Alting <burn@swtf.dyndns.org>
Subject: Re: Send a message to audit.log
Date: Sat, 02 Feb 2019 14:37:27 +1100
Message-ID: <aa02cabc9a1c7403fd7e8d4d33db596c7b131cd5.camel@swtf.dyndns.org>
References: <CAH5sRbrFwacgC9Hef_+CCFTctxiUU3tJd0b9cHKWQWWPurCRQQ@mail.gmail.com>
Reply-To: burn@swtf.dyndns.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7999976896297329479=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com
	[10.5.110.25])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 4ED49608DD
	for <linux-audit@redhat.com>; Sat,  2 Feb 2019 03:45:20 +0000 (UTC)
Received: from mail.swtf.dyndns.org (124-171-156-127.dyn.iinet.net.au
	[124.171.156.127])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 4130181F12
	for <linux-audit@redhat.com>; Sat,  2 Feb 2019 03:45:18 +0000 (UTC)
Received: from mail.swtf.dyndns.org (localhost [127.0.0.1])
	by mail.swtf.dyndns.org (Postfix) with ESMTP id EAD60203002F
	for <linux-audit@redhat.com>; Sat,  2 Feb 2019 14:37:32 +1100 (AEDT)
Received: from mail.swtf.dyndns.org ([127.0.0.1])
	by mail.swtf.dyndns.org (mail.swtf.dyndns.org [127.0.0.1]) (amavisd-new,
	port 10026) with ESMTP id EVyCQa3NJt8w for <linux-audit@redhat.com>;
	Sat,  2 Feb 2019 14:37:29 +1100 (AEDT)
In-Reply-To: <CAH5sRbrFwacgC9Hef_+CCFTctxiUU3tJd0b9cHKWQWWPurCRQQ@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Wajih Ul Hassan <wajih.lums@gmail.com>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============7999976896297329479==
Content-Type: multipart/alternative; boundary="=-T4D49EXofWeyRtW7guhd"


--=-T4D49EXofWeyRtW7guhd
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit

Wajih,
Try 	man audit_log_user_messageand note the need for CAP_AUDIT_WRITE ability (see
auditctl(8))
That said. Is there a reason you want a message going into the system kernel logging
mechanism? The only reason why I ask is, if your audit rules posture is aggressive
(many rules that fire) then you could will slow down your application as it waits to
insert a message into the NETLINK_SOCKET is uses.
On *nix, syslog is the normal destination for application event logs. By separating
your application logs from operating system logs, you can more efficiently post
process them.
RegardsOn Fri, 2019-02-01 at 17:03 -0600, Wajih Ul Hassan wrote:
> Hi,
> Hi, I have a C application which needs to send a message to audit.log from
> userspace. I have been using `auditctl -m` format to send a message to audit.log
> using `system` command but it seems to degrade performance a lot of my
> application.
> My question is there any API to send a message programmatically from my
> application which is more efficient and robust.
> Thanks,
> Wajih
> 
> --Linux-audit mailing listLinux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

--=-T4D49EXofWeyRtW7guhd
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html dir=3D"ltr"><head></head><body style=3D"text-align:left; direction:lt=
r;"><div>Wajih,</div><div><br></div><div>Try&nbsp;</div><div>	man audit_log=
_user_message</div><div>and note the need for CAP_AUDIT_WRITE ability (see =
auditctl(8))</div><div><br></div><div>That said. Is there a reason you want=
 a message going into the system kernel logging mechanism? The only reason =
why I ask is, if your audit rules posture is aggressive (many rules that fi=
re) then you could will slow down your application as it waits to insert a =
message into the NETLINK_SOCKET is uses.</div><div><br></div><div>On *nix, =
syslog is the normal destination for application event logs. By separating =
your application logs from operating system logs, you can more efficiently =
post process them.</div><div><br></div><div>Regards</div><div>On Fri, 2019-=
02-01 at 17:03 -0600, Wajih Ul Hassan wrote:</div><blockquote type=3D"cite"=
 style=3D"margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex=
"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:tahoma=
,sans-serif">Hi,</div><div class=3D"gmail_default" style=3D"font-family:tah=
oma,sans-serif">Hi, I have a C application which needs to send a message to=
 audit.log from userspace. I have been using `auditctl -m` format to send a=
 message to audit.log using `system` command&nbsp;but it seems to degrade p=
erformance a lot of my application.</div><div class=3D"gmail_default" style=
=3D"font-family:tahoma,sans-serif">My question is there any API to send a m=
essage programmatically from my application which is more efficient and rob=
ust.</div><div class=3D"gmail_default" style=3D"font-family:tahoma,sans-ser=
if">Thanks,<br>Wajih</div></div>
<pre>--</pre><pre>Linux-audit mailing list</pre><pre><a href=3D"mailto:Linu=
x-audit@redhat.com">Linux-audit@redhat.com</a></pre><pre><a href=3D"https:/=
/www.redhat.com/mailman/listinfo/linux-audit">https://www.redhat.com/mailma=
n/listinfo/linux-audit</a></pre></blockquote></body></html>

--=-T4D49EXofWeyRtW7guhd--


--===============7999976896297329479==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============7999976896297329479==--