Re: libauparse: read audit events continously?
On Wednesday, October 8, 2025 11:03:41 AM Eastern Daylight Time Jean-Jacques
Pitrolle wrote:
Hi list,
I'm looking for an example to receive auditd event *continously* and
print them to the standard output.
I found simple example which use *auparse* library here:
https://security-plus-data-science.blogspot.com/2017/04/writing-basic-aupar
se-program.html
I add a the following lines to loop 'forever'
8<---
[..]
while (1) {
auparse_first_record(au);
[..]
sleep(1);
}
auparse_destroy(au);
return 0;
}
-->8
The problem with this example is the output only shows the events which
are available *before* binary startup not the event arrived *after*.
This construct is intended for files or memory buffers. Something that you
need to iterate across. What you want is the feed api. This is how all the
plugins work. You can find an example here:
https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/
audisp-example.c#L117
8<---
./dummy-auditd &
~ # Record type: DAEMON_START -
type,op,ver,format,kernel,auid,pid,uid,ses,res
Record type: CONFIG_CHANGE - type,op,audit_backlog_limit,old,auid,ses,res
[..]
Record type: PROCTITLE - type,proctitle
Record type: 0 - (null)
Record type: 0 - (null)
..
-->8
I want to have the event print *continously* i.e the new events *shall*
appears on the standard output.
Note that plugins are designed to read stdin. So, you can cat a file into one
for testing purposes. A real plugin couldn't write to stdout because that is
/dev/null.
Can you point me some examples in the git repository or an url that
describes how to do it please?
Another example:
https://github.com/linux-audit/audit-userspace/blob/audit-3.1-maint/audisp/
plugins/statsd/audisp-statsd.c
I surely miss something in the documentation so let me know if it is
the
case.
The feed API.
-Steve