On Wednesday, January 06, 2016 08:27:31 PM Gulland, Scott A wrote: > > What I would suggest in a case like this is to create a small utility that > > generates the exact report that you want. The auparse library makes that > > super easy. I can dig up the skeleton code for something like this if you > > want. > > Thanks Steve! I'd appreciate the skeleton code. At some point we'll > probably want to create a custom report capability. It sounds like > ausearch really only handles the fields written by the kernel.
Sorry for the delay, I needed to get the 2.5 package out the door. There is some example code in the audit package and here: https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.c If you wanted to read from a file, then you change the code to f = fopen("./test.log", "r"); if (f == NULL) { printf("Can't open log\n"); return 1; } but keep the AUSOURCE_FEED. Then in the loop /* Now the event loop */ if (!stop && !hup && retval > 0) { if (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH, f)) { auparse_feed(au, tmp, strnlen(tmp, MAX_AUDIT_MESSAGE_LENGTH)); } } else if (retval == 0) auparse_flush_feed(au); if (feof(f)) break; Then you put the report in the callback function. You can switch between the types as shown in the handle_event function. If you want it to run off of logs, then you would need to structure things a bit different. The aulastlog program shows a good example of that: https://fedorahosted.org/audit/browser/trunk/tools/aulastlog/aulastlog.c Hope this helps... -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
