Hello, On Monday, May 13, 2024 5:11:50 PM EDT nupurde...@gmail.com wrote: > Hi , I am following the sample code at > -https://github.com/linux-audit/audit-userspace/blob/4939b8541322cbf3a53af > fc28e71ce53d92f121f/contrib/plugin/audisp-example.c to write my own plugin. > The number of events that will be generated on my system will be huge as I > want to monitor a lot of root activities. So in my plugin I have created 2 > threads- reader and processor.
This sounds good so far. And do you have synchronization around enqueuing and dequeuing? > Reader is reading off the STDIN and putting the "msg" (MAX_AUDIT_MESSAGE_LENGTH) into a list. The records will come in one at a time and will be shorter than MAX_AUDIT_MESSAGE_LENGTH. Also, a common mistake is using select/poll on stdin and then using fgets to read it. It will cause strange errors to mix fd and FILE * operations. To straighten this out for my own use, I create the equivalent of fgets except it takes a fd. https://github.com/linux-audit/audit-userspace/blob/master/common/audit-fgets.c I've thought about exposing that as an API since anyone doing a plugin has a need for this. > Processor is popping > each "msg" off the list and calling "auparse_feed" for each msg . Finally > in handle_event , I am looping through the records of each event and > calling my own logging API to log it on the remote server. OK. > I am seeing a lot (in 1000's) of repetitive audit records on my remote > server (exact same records, same timestamp and same ID value) , though I do > not see the same in local audit.log file. > > Not sure what's going on wrong with my logic Since the plugin reads from stdin, you can cat a file into the plugin: cat audit.log | ./plugin Just save a few events in it using "ausearch --raw" to preserve the events as they are. I would make a debug mode for the plugin to write to stdout and then see if what goes in comes out. I'd also compile it with the thread sanitizer and see if that shows anything. -Steve _______________________________________________ Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io
