From mboxrd@z Thu Jan 1 00:00:00 1970 From: hsultan@thefroid.net Subject: Re: ABI guarantee for auditd Date: Fri, 16 Jan 2015 13:34:32 -0800 Message-ID: References: <3fbf5caa9cacbccadda7623eabadbc05@thefroid.net> <3567295.SZ2jdmf0NG@x2> <67f972dd606a13a87560d389463a5390@thefroid.net> <1952249.ljydSPkMKP@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t0GLYYru000682 for ; Fri, 16 Jan 2015 16:34:34 -0500 Received: from homiemail-a78.g.dreamhost.com (sub5.mail.dreamhost.com [208.113.200.129]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t0GLYXef007324 for ; Fri, 16 Jan 2015 16:34:33 -0500 Received: from homiemail-a78.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a78.g.dreamhost.com (Postfix) with ESMTP id D992B20006450 for ; Fri, 16 Jan 2015 13:34:32 -0800 (PST) Received: from webmail.thefroid.net (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: hsultan@thefroid.net) by homiemail-a78.g.dreamhost.com (Postfix) with ESMTPA id CFC5B2000644E for ; Fri, 16 Jan 2015 13:34:32 -0800 (PST) In-Reply-To: <1952249.ljydSPkMKP@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On 2015-01-16 05:48, Steve Grubb wrote: > On Thursday, January 15, 2015 06:20:41 PM hsultan@thefroid.net wrote: >> Thanks for the info, so I tried using libauparse (again, Ubuntu >> 14.04 >> LTS), however I'm hitting something truly weird: once I've adddd the >> event parsing code (taken from >> >> https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.c >> ) and added -lauparse, what I get out of audit_get_reply now is >> mangled. > > Why are you using that in an analytical program? That is a very low > level > function for getting events out of the kernel. You might want to have > a look > at this presentation to understand the audit architecture: > > http://people.redhat.com/sgrubb/audit/audit_ids_2011.pdf > > Auditd handles getting events from the kernel, passes them to > audispd, you > have a plugin to audispd and get the event in realtime. If you want > events on > disk, you just tell auparse_init that you want to use the logs as > your source. > > Libauparse handles events after they have been processed by auditd. I know. I sadly can't describe what I'm working on, however I have some stringent perf requirements. That's why I've been looking at doing custom parsing and that's why I'm bypassing the auditd daemon completely. I figured out how to recreate a msg that auparse likes from the output of audit_get_reply, and right now I'm planning on having both 'modes' (fast using custom parsing/ slower but 'official' parsing) live in the binary, and simply have my process choose at start time after parsing some specifically generated audit msgs. If my custom parsing goes through properly, then I'll use my faster & custom parsing, otherwise I'll revert to the official but slower parsing (and patch appropriately to correct my custom parsing in the meantime). Thanks, Hassan