Hi Steve, Thanks for the reply. I compared the record string I was passing to auparse_feed() against the example string in auparse/test/auparse_test.c (in audit-userspace git repo). Looks like I needed to prepend "msg=" before the audit message and pass the exact length of the record string to auparse_feed().
Changing the lines in to the code to: snprintf(record_buffer, (record_buffer_len - 1), "type=%s msg=%.*s\n", type_name, reply.len, reply.message); auparse_feed(au, record_buffer, strlen(record_buffer)); worked. Also I noticed that the EOE record is treated as its own event even though there were other records with the same audit serial number. I guess this is expected as after EOE there will be no more records for this event and if EOE was treated as a part of the previous event, then it will not be possible to tell when this event is complete. Thanks for the help, Tarun On Tue, Jun 11, 2019 at 9:49 PM Steve Grubb <[email protected]> wrote: > On Tuesday, June 11, 2019 2:56:23 AM EDT Tarun Ramesh wrote: > > The callback function on_audit_event() just goes through the records one > by > > one and prints the fields and values. I have added a rule to watch for > > file edits in the /home folder. I see the records for file creation in > > this folder being received, however it looks like the callback function > is > > not being called when an EOE record is received. Please let me know if > I'm > > missing something. > > As long as the format exactly matched how auditd creates the record, > cursory > glance appears ok, then the records get grouped inside auparse to form a > complete event. When the event is determined to be complete, it is passed > to > the registered callback function. You need to iterate over the individual > records to see the whole event. > > So, you do not get a callback on an individual record, you are called back > on > a complete event. The EOE record should be the last record. You can use > auparse_next_record() to iterate across records. > > -Steve > > > >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
