audisp-plugin.
by nupurdeora@gmail.com
Hi , I am following the sample code at -https://github.com/linux-audit/audit-userspace/blob/4939b8541322cbf3a53affc28e71ce53d92f121f/contrib/plugin/audisp-example.c to write my own plugin. The number of events that will be generated on my system will be huge as I want to monitor a lot of root activities. So in my plugin I have created 2 threads- reader and processor. Reader is reading off the STDIN and putting the "msg" (MAX_AUDIT_MESSAGE_LENGTH) into a list. Processor is popping each "msg" off the list and calling "auparse_feed" for each msg . Finally in handle_event , I am looping through the records of each event and calling my own logging API to log it on the remote server. I am seeing a lot (in 1000's) of repetitive audit records on my remote server (exact same records, same timestamp and same ID value) , though I do not see the same in local audit.log file.
Not sure what's going on wrong with my logic
2 days, 14 hours
- 2
- 4
- ← Newer
- 1
- Older →