Send a message to audit.log
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
Hi,
Hi, I have a C application which needs to send a message to audit.log from
userspace. I have been using `auditctl -m` format to send a message to
audit.log using `system` command but it seems to degrade performance a lot
of my application.
My question is there any API to send a message programmatically from my
application which is more efficient and robust.
Thanks,
Wajih
Attachments:
- attachment.html (text/html — 684 bytes)
Wajih,
Try man audit_log_user_messageand note the need for CAP_AUDIT_WRITE ability (see
auditctl(8))
That said. Is there a reason you want a message going into the system kernel logging
mechanism? The only reason why I ask is, if your audit rules posture is aggressive
(many rules that fire) then you could will slow down your application as it waits to
insert a message into the NETLINK_SOCKET is uses.
On *nix, syslog is the normal destination for application event logs. By separating
your application logs from operating system logs, you can more efficiently post
process them.
RegardsOn Fri, 2019-02-01 at 17:03 -0600, Wajih Ul Hassan wrote:
Hi,
Hi, I have a C application which needs to send a message to audit.log from
userspace. I have been using `auditctl -m` format to send a message to audit.log
using `system` command but it seems to degrade performance a lot of my
application.
My question is there any API to send a message programmatically from my
application which is more efficient and robust.
Thanks,
Wajih
--Linux-audit mailing listLinux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Fri, 1 Feb 2019 17:03:49 -0600
Wajih Ul Hassan <wajih.lums(a)gmail.com> wrote:
Hi,
Hi, I have a C application which needs to send a message to audit.log
from userspace. I have been using `auditctl -m` format to send a
message to audit.log using `system` command but it seems to degrade
performance a lot of my application.
My question is there any API to send a message programmatically from
my application which is more efficient and robust.
Burn had some good advice. But if you really want to send an audit
event, then you might look at the general advice here:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good...
First, you need to pick an event type. If its purely for your app, then
AUDIT_TRUSTED_APP is for you. Then you need to find the right logging
function for your event. I'd suggest looking at the available functions
at the bottom of /usr/include/libaudit.h. Probably
audit_log_user_message is your logging API unless its an account or
command message.
-Steve
2158
days inactive
2159
days old
linux-audit@lists.linux-audit.osci.io
2 comments
3 participants
tags (0)
participants (3)
-
Burn Alting -
Steve Grubb -
Wajih Ul Hassan