On Tuesday, November 18, 2014 02:37:38 PM Wouter van Verre wrote: > Hi all, > > I am looking to do some real time parsing with audit. After some testing I > figured it would be easier to the parsing in a plugin on the local machine > and then send the parsed data to a remote machine for storage. > > After reading the audit-parse.txt document I am not quite sure how to > proceed. Given that the plugin will receive data on stdin, how would I go > about setting the auparse library up (for example, what ausource_t should I > specify to initialise the auparse_state_t object) to enable real time > parsing?
There is an example plugin in the source distribution. You can see it here: https://fedorahosted.org/audit/browser/trunk/contrib/plugin The plugin provides a code skeleton and demonstration of how to move around the events / records / fields. Other examples would be the prelude-plugin and aulast utility. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
