Never mind... I found out why it was not working...

1. auparse_next_event() does not call callback function. I have to call that function when auparse_next_event() returns.

2. it expects events in string format. I configured the plugin to send events in binary format. hence auparse_next_event() was not returning..

3. auparse_next_event() returns only when the parser sees the beginning of the next event.. i.e first event is returned after seeing the beginning of the 2nd event. Is this expected?

--Satish

On Wed, Jul 29, 2015 at 4:36 PM, Satish Chandra Kilaru <iam.kilaru@gmail.com> wrote:

Has anyone tried AUSOURCE_DESCRIPTOR with a unix socket as fd?

I am doing the following.

int sd_u = socket(AF_UNIX, SOCK_STREAM, 0);
connect(sd_u, (struct sockaddr *) &sa, sizeof(sa))!=0)
auparse_state_t *au = auparse_init(AUSOURCE_DESCRIPTOR, (const void *)sd_u);
auparse_add_callback(au, auparse_callback, event_cnt, free);
ausearch_next_event(au);

My auparse_callback() is not getting called. My program just blocks in ausearch_next_event().

read(sd_u, buf, sizeof(buf)) gets me events... That means I am using correct unix socket.
How do I make the callback function to get called for each event?

Am I missing something here?

Thanks in advance.
--Satish
--
Please Donate to www.wikipedia.org

Please Donate to www.wikipedia.org