Hi , I am following the sample code at
-https://github.com/linux-audit/audit-userspace/blob/4939b8541322cbf3a53affc28e71ce53d92f121f/contrib/plugin/audisp-example.c
to write my own plugin. The number of events that will be generated on my system will be
huge as I want to monitor a lot of root activities. So in my plugin I have created 2
threads- reader and processor. Reader is reading off the STDIN and putting the
"msg" (MAX_AUDIT_MESSAGE_LENGTH) into a list. Processor is popping each
"msg" off the list and calling "auparse_feed" for each msg . Finally
in handle_event , I am looping through the records of each event and calling my own
logging API to log it on the remote server. I am seeing a lot (in 1000's) of
repetitive audit records on my remote server (exact same records, same timestamp and same
ID value) , though I do not see the same in local audit.log file.
Not sure what's going on wrong with my logic