Steve, thank you so much =)
I suppose you meant `ncat -U --recv-only` due to `nc` doesn't have
`--recv-only` option.
ncat works as expected (shows incoming audit messages).
Regards
Rinat
On 14.10.2023 00:42, Steve Grubb wrote:
Hello,
On Tuesday, October 10, 2023 11:53:06 AM EDT Rinat Gadelshin wrote:
Could I ask your help with the plugin?
The mail list might get a faster response. I sometimes get busy.
I try to check it by the following way on my Ubuntu 20.04:
- `systemctl stop auditd`
- set 'active' parameter to 'yes' (file /etc/audisp/plugins.d/af_unix.conf)
- `systecmtl start auditd`
- `systemctl status auditd` shows that the service is running.
- `auditctl -w /tmp/delme`
- `auditctl -l` shows that the rule has been successfully added.
- `ls -l /var/run/audispd_events` prints "srwxr-xr-x 1 root root 0 okt
10 18:38 /var/run/audispd_events"
- launch `nc -Ul /var/run/audispd_events` in another terminal
- `echo 1 > /tmp/delme`
Expected result: `nc` has received some audit events for the file.
Actual result: `nc` has received nothing.
nc -U --recv-only /var/run/audispd_events
Can you tell me what I did wrong?
See above.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
