Re: libauparse: read audit events continously?

On Wednesday, October 8, 2025 11:03:41 AM Eastern Daylight Time Jean-Jacques Pitrolle wrote: > Hi list, > I'm looking for an example to receive auditd event *continously* and > print them to the standard output. > > I found simple example which use *auparse* library here: > https://security-plus-data-science.blogspot.com/2017/04/writing-basic-aupar > se-program.html > I add a the following lines to loop 'forever' > 8<--- > [..] > while (1) { > auparse_first_record(au); > [..] > sleep(1); > } > > auparse_destroy(au); > > return 0; > } > -->8 > > The problem with this example is the output only shows the events which > are available *before* binary startup not the event arrived *after*. This construct is intended for files or memory buffers. Something that you need to iterate across. What you want is the feed api. This is how all the plugins work. You can find an example here: https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/ audisp-example.c#L117

> 8<--- > ./dummy-auditd & > ~ # Record type: DAEMON_START - > type,op,ver,format,kernel,auid,pid,uid,ses,res > Record type: CONFIG_CHANGE - type,op,audit_backlog_limit,old,auid,ses,res > [..] > Record type: PROCTITLE - type,proctitle > Record type: 0 - (null) > Record type: 0 - (null) > .. > -->8 > > I want to have the event print *continously* i.e the new events *shall* > appears on the standard output. Note that plugins are designed to read stdin. So, you can cat a file into one for testing purposes. A real plugin couldn't write to stdout because that is /dev/null.

> Can you point me some examples in the git repository or an url that > describes how to do it please? Another example: https://github.com/linux-audit/audit-userspace/blob/audit-3.1-maint/audisp/ plugins/statsd/audisp-statsd.c > I surely miss something in the documentation so let me know if it is the > case. The feed API.

-Steve