On Wednesday 16 December 2009 09:45:07 am 陈洁丹 wrote: The source code tarball ships with a sample plugin and you can also read it online: https://fedorahosted.org/audit/browser/trunk/contrib/plugin The events are written to stdin of the plugin by the dispatcher. Each plugin has a configuration file that should be installed to /etc/audisp/plugins.d/ with a defined format. One of the items tells audispd whether to send the event in binary format as the dispatcher itself received it or if it should be changed to string format. If you chose binary, then you are responsible to check the version number of the event to make sure that you handle future versions of the event format. So, I would recommend to people to write plugins that expect string format since that is most portable. If you choose string format, then you get the benefit of being able to use the audit parsing library. And you can debug your plugin by creating a raw audit event log and cat'ing it to the plugin's stdin. For example if your plugin does something when someone accesses passwd, you can make a raw log like this: ausearch --start today -f passwd --raw > test.log then debug like: cat test.log | ./my-app Hope this helps... -Steve