10:03 a.m.
Hi list,
I'm looking for an example to receive auditd event *continously* and
print them to the standard output.
I found simple example which use *auparse* library here:
https://security-plus-data-science.blogspot.com/2017/04/writing-basic-aup...
I add a the following lines to loop 'forever'
8<---
[..]
while (1) {
auparse_first_record(au);
[..]
sleep(1);
}
auparse_destroy(au);
return 0;
}
-->8
The problem with this example is the output only shows the events which
are available *before* binary startup not the event arrived *after*.
8<---
./dummy-auditd &
~ # Record type: DAEMON_START -
type,op,ver,format,kernel,auid,pid,uid,ses,res
Record type: CONFIG_CHANGE - type,op,audit_backlog_limit,old,auid,ses,res
[..]
Record type: PROCTITLE - type,proctitle
Record type: 0 - (null)
Record type: 0 - (null)
..
-->8
I want to have the event print *continously* i.e the new events *shall*
appears on the standard output.
Can you point me some examples in the git repository or an url that
describes how to do it please?
I surely miss something in the documentation so let me know if it is the
case.
Thanks.
Regards.
10:47 a.m.
On Wednesday, October 8, 2025 11:03:41 AM Eastern Daylight Time Jean-Jacques
Pitrolle wrote:
Hi list,
I'm looking for an example to receive auditd event *continously* and
print them to the standard output.
I found simple example which use *auparse* library here:
https://security-plus-data-science.blogspot.com/2017/04/writing-basic-aupar
se-program.html
I add a the following lines to loop 'forever'
8<---
[..]
while (1) {
auparse_first_record(au);
[..]
sleep(1);
}
auparse_destroy(au);
return 0;
}
-->8
The problem with this example is the output only shows the events which
are available *before* binary startup not the event arrived *after*.
This construct is intended for files or memory buffers. Something that you
need to iterate across. What you want is the feed api. This is how all the
plugins work. You can find an example here:
https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/
audisp-example.c#L117
8<---
./dummy-auditd &
~ # Record type: DAEMON_START -
type,op,ver,format,kernel,auid,pid,uid,ses,res
Record type: CONFIG_CHANGE - type,op,audit_backlog_limit,old,auid,ses,res
[..]
Record type: PROCTITLE - type,proctitle
Record type: 0 - (null)
Record type: 0 - (null)
..
-->8
I want to have the event print *continously* i.e the new events *shall*
appears on the standard output.
Note that plugins are designed to read stdin. So, you can cat a file into one
for testing purposes. A real plugin couldn't write to stdout because that is
/dev/null.
Can you point me some examples in the git repository or an url that
describes how to do it please?
Another example:
https://github.com/linux-audit/audit-userspace/blob/audit-3.1-maint/audisp/
plugins/statsd/audisp-statsd.c
I surely miss something in the documentation so let me know if it is
the
case.
The feed API.
-Steve
11:35 a.m.
Hi Steve,
Thanks for your reply.
On 08/10/2025 17:47, Steve Grubb wrote:
On Wednesday, October 8, 2025 11:03:41 AM Eastern Daylight Time
Jean-Jacques
Pitrolle wrote:
> Hi list,
> I'm looking for an example to receive auditd event *continously* and
> print them to the standard output.
>
> I found simple example which use *auparse* library here:
> https://security-plus-data-science.blogspot.com/2017/04/writing-basic-aupar
> se-program.html
> I add a the following lines to loop 'forever'
> 8<---
> [..]
> while (1) {
> auparse_first_record(au);
> [..]
> sleep(1);
> }
>
> auparse_destroy(au);
>
> return 0;
> }
> -->8
>
> The problem with this example is the output only shows the events which
> are available *before* binary startup not the event arrived *after*.
This construct is intended for files or memory buffers. Something that you
need to iterate across. What you want is the feed api. This is how all the
plugins work. You can find an example here:
https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/
audisp-example.c#L117
Hmm ok i already modify the ids plugin to adapt it as a
test.
My purpose was to avoid the *plugin framework* this is why i was looking
for an example without any reference to *plugin*.
> 8<---
> ./dummy-auditd &
> ~ # Record type: DAEMON_START -
> type,op,ver,format,kernel,auid,pid,uid,ses,res
> Record type: CONFIG_CHANGE - type,op,audit_backlog_limit,old,auid,ses,res
> [..]
> Record type: PROCTITLE - type,proctitle
> Record type: 0 - (null)
> Record type: 0 - (null)
> ..
> -->8
>
> I want to have the event print *continously* i.e the new events *shall*
> appears on the standard output.
Note that plugins are designed to read stdin. So, you can cat a file into one
for testing purposes. A real plugin couldn't write to stdout because that is
/dev/null.
OK i want to avoid this infrastructure but it seems for my use-case i
can't avoid it.
So for my use case if i understand correctly i need the following
infrastructure
| auditd | --stdin--> | auditd-plugin | -- IPC --> | my-bin|
where IPC is a message queue or a named pipe that sends the expected
events to an external program my-bin.
Can you confirm this?
> Can you point me some examples in the git repository or an url that
> describes how to do it please?
Another example:
https://github.com/linux-audit/audit-userspace/blob/audit-3.1-maint/audisp/
plugins/statsd/audisp-statsd.c
> I surely miss something in the documentation so let me know if it is the
> case.
The feed API.
Thanks for the clarification; i think it would be possible to avoid
reading from stdin but it seems from your explanation it is not possible.
Regards.>
-Steve
12:31 p.m.
On Wednesday, October 8, 2025 12:35:47 PM Eastern Daylight Time Jean-Jacques
Pitrolle wrote:
Hi Steve,
Thanks for your reply.
On 08/10/2025 17:47, Steve Grubb wrote:
> On Wednesday, October 8, 2025 11:03:41 AM Eastern Daylight Time
> Jean-Jacques>
> Pitrolle wrote:
>> Hi list,
>> I'm looking for an example to receive auditd event *continously* and
>> print them to the standard output.
>>
>> I found simple example which use *auparse* library here:
>> https://security-plus-data-science.blogspot.com/2017/04/writing-basic-au
>> par se-program.html
>>
>> I add a the following lines to loop 'forever'
>> 8<---
>> [..]
>>
>> while (1) {
>>
>> auparse_first_record(au);
>>
>> [..]
>>
>> sleep(1);
>>
>> }
>>
>> auparse_destroy(au);
>>
>> return 0;
>>
>> }
>> -->8
>>
>> The problem with this example is the output only shows the events which
>> are available *before* binary startup not the event arrived *after*.
>
> This construct is intended for files or memory buffers. Something that
> you
> need to iterate across. What you want is the feed api. This is how all
> the
> plugins work. You can find an example here:
>
> https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin
> /
> audisp-example.c#L117
Hmm ok i already modify the ids plugin to adapt it as a test.
My purpose was to avoid the *plugin framework* this is why i was looking
for an example without any reference to *plugin*.
There are a couple such as the syslog plugin and af_unix plugin. But they
simply forward what they see. The reason the auparse library exists is so
that you don't have to become an expert in all things audit. For example, the
events are not serialized by the kernel. That is a user space problem. You
need to know when an event is complete. You need to know how to translate
the fields from numbers into something you understand. And then there are the
corner cases where events accidentally define the same field but with different
meaning.
>> 8<---
>> ./dummy-auditd &
>> ~ # Record type: DAEMON_START -
>> type,op,ver,format,kernel,auid,pid,uid,ses,res
>> Record type: CONFIG_CHANGE -
>> type,op,audit_backlog_limit,old,auid,ses,res
>> [..]
>> Record type: PROCTITLE - type,proctitle
>> Record type: 0 - (null)
>> Record type: 0 - (null)
>> ..
>> -->8
>>
>> I want to have the event print *continously* i.e the new events *shall*
>> appears on the standard output.
>
> Note that plugins are designed to read stdin. So, you can cat a file into
> one for testing purposes. A real plugin couldn't write to stdout because
> that is /dev/null.
OK i want to avoid this infrastructure but it seems for my use-case i
can't avoid it.
So for my use case if i understand correctly i need the following
infrastructure
| auditd | --stdin--> | auditd-plugin | -- IPC --> | my-bin|
where IPC is a message queue or a named pipe that sends the expected
events to an external program my-bin.
Can you confirm this?
Instead of writing a plugin, just use the af_unix plugin and read from it.
But whatever you do, consider making it multi-threaded. One to pull events as
soon as they appear and one to process the event with a queue between the
threads. If you don't pull events fast enough, it backs things up and then
auditd can't unload from the kernel and then the kernel backs up.
>> Can you point me some examples in the git repository or an
url that
>> describes how to do it please?
>
> Another example:
>
> https://github.com/linux-audit/audit-userspace/blob/audit-3.1-maint/audis
> p/ plugins/statsd/audisp-statsd.c
>
>> I surely miss something in the documentation so let me know if it is the
>> case.
>
> The feed API.
Thanks for the clarification; i think it would be possible to avoid
reading from stdin but it seems from your explanation it is not possible.
That's where auditd places it so that the plugin can always find it. But in
your case, the af_unix plugin is probably your answer.
-Steve
8:11 a.m.
Hi Steve,
On 08/10/2025 19:31, Steve Grubb wrote:
That's where auditd places it so that the plugin can always find
it. But in
your case, the af_unix plugin is probably your answer.
Yes exactly; using "socat - UNIX-CONNECT:/var/run/audispd_events" does
the trick.
Thanks for your time.
Regards.
84
days inactive
85
days old
linux-audit@lists.linux-audit.osci.io
3 comments
2 participants
participants (2)
-
Jean-Jacques Pitrolle -
Steve Grubb