auditd syslog builtin plugin

Tue, 25 May 2010 07:13:00 -0700 

Hi,


I am trying to make the builtin syslog audisp plugin to use a custom
facility/priority pair for the syslog messages exported to the syslog
daemon. For that I am using  the patch and the conf from below.
The problem is that the compile and the start process don't give any
errors when I am using the below customization but the syslog daemon
receive the messages from the audisp with the default facility
(LOG_USER). So I need a littel help here.

I would appreciate any help.

Thanks,

--
Cosmih


============================================================
/etc/audisp/plugins.d/syslog.conf

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_ALERT LOG_KERN
format = string
============================================================



============================================================
diff -ur audit-2.0.4/audisp/audispd-builtins.c
audit-2.0.4-new/audisp/audispd-builtins.c
--- audit-2.0.4/audisp/audispd-builtins.c       2009-12-07 23:16:41.000000000 
+0200
+++ audit-2.0.4-new/audisp/audispd-builtins.c   2010-05-25
16:56:18.000000000 +0300
@@ -37,7 +37,7 @@

 // Local data
 static volatile int sock = -1, conn = -1;
-static int syslog_started = 0, priority;
+static int syslog_started = 0, priority, facility;
 static char *path = NULL;

 // Local prototypes
@@ -278,8 +278,25 @@
                        syslog_started = 0;
                        return;
                }
-       } else
+       } else {
                priority = LOG_INFO;
+       }
+       if (conf->args[2]) {
+               if (strcasecmp(conf->args[2], "LOG_USER") == 0)
+                       facility = LOG_USER
+               else if (strcasecmp(conf->args[2], "LOG_DAEMON") == 0)
+                       facility = LOG_DAEMON;
+               else if (strcasecmp(conf->args[2], "LOG_KERN") == 0)
+                       facility = LOG_KERN;
+               else {
+                       syslog(LOG_ERR, "Unknown log priority %s",
+                               conf->args[2]);
+                       syslog_started = 0;
+                       return;
+               }
+       else {
+               facility = LOG_KERN;
+       }
        syslog_started = 1;
        syslog(LOG_INFO, "syslog plugin initialized");
 }
@@ -287,7 +304,7 @@
 void send_syslog(const char *s)
 {
        if (syslog_started)
-               syslog(priority, "%s", s);
+               syslog(facility|priority, "%s", s);
 }

 void destroy_syslog(void)
============================================================

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to