Re: auparse_feed callback on EOE record
Hi Steve,
Thanks for the reply. I compared the record string I was passing to
auparse_feed() against the example string in auparse/test/auparse_test.c
(in audit-userspace git repo).
Looks like I needed to prepend "msg=" before the audit message and pass the
exact length of the record string to auparse_feed().
Changing the lines in to the code to:
snprintf(record_buffer, (record_buffer_len - 1), "type=%s msg=%.*s\n",
type_name, reply.len, reply.message);
auparse_feed(au, record_buffer, strlen(record_buffer));
worked.
Also I noticed that the EOE record is treated as its own event even though
there were other records with the same audit serial number. I guess this is
expected as after EOE there will be no more records for this event and if
EOE was treated as a part of the previous event, then it will not be
possible to tell when this event is complete.
Thanks for the help,
Tarun
On Tue, Jun 11, 2019 at 9:49 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
On Tuesday, June 11, 2019 2:56:23 AM EDT Tarun Ramesh wrote:
> The callback function on_audit_event() just goes through the records one
by
> one and prints the fields and values. I have added a rule to watch for
> file edits in the /home folder. I see the records for file creation in
> this folder being received, however it looks like the callback function
is
> not being called when an EOE record is received. Please let me know if
I'm
> missing something.
As long as the format exactly matched how auditd creates the record,
cursory
glance appears ok, then the records get grouped inside auparse to form a
complete event. When the event is determined to be complete, it is passed
to
the registered callback function. You need to iterate over the individual
records to see the whole event.
So, you do not get a callback on an individual record, you are called back
on
a complete event. The EOE record should be the last record. You can use
auparse_next_record() to iterate across records.
-Steve
Attachments:
- attachment.html (text/html — 2.5 KB)