Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 22 Aug 2007 11:07:02 +0400
From:      sam <samflanker@gmail.com>
To:        rwatson@FreeBSD.org
Cc:        freebsd-hackers@freebsd.org, trustedbsd-audit@FreeBSD.org, freebsd-audit@freebsd.org
Subject:   Re: praudit parse with gnu grep
Message-ID:  <46CBE096.90805@gmail.com>
In-Reply-To: <20070821152327.R53914@fledge.watson.org>
References:  <46C55191.2050205@gmail.com> <20070821145603.L50579@fledge.watson.org> <46CAF217.7040204@gmail.com> <20070821151108.Y53914@fledge.watson.org> <46CAF4E9.2030700@gmail.com> <20070821152327.R53914@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

Robert Watson wrote:
>
> On Tue, 21 Aug 2007, sam wrote:
>
>>>>>> # praudit /etc/auditpipe | grep "bla bla bla" & # praudit 
>>>>>> /etc/auditpipe | tee file.log
>>>>>>
>>>>>> this is not work please help me
>>>>>
>>>>> This thread is also on freebsd-hackers, but just to follow up here 
>>>>> as well for the purposes of the archives:
>>>>>
>>>>> - It's /dev/auditpipe not /etc/auditpipe
>>>>> - If you're using grep, try --line-buffered
>>>>>
>>>> --line-buffered is not helped to me
>>>
>>> When you run praudit on /dev/auditpipe directly, do you get the 
>>> records you expect?
>>
>> yes
>
> So what are you getting or not getting that is unexpected when you run 
> with grep?  Have you tried forcing lots of records of the type you 
> would be matching to be created to make sure the buffers are flushing 
> from praudit/grep/etc?  The input/output buffers in stdio mean that 
> you may not see output immediately, the buffer has to fill enough to 
> trigger an I/O before that will happen.
>
> We could add an fflush call to praudit's output, which would flush the 
> I/O out the file descriptor, but that wouldn't necessarily solve 
> grep's buffering. The attached patch might do this.
>
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
>
> Index: praudit.c
> ===================================================================
> RCS file: /data/fbsd-cvs/ncvs/src/contrib/openbsm/bin/praudit/praudit.c,v
> retrieving revision 1.1.1.3
> diff -u -r1.1.1.3 praudit.c
> --- praudit.c    16 Apr 2007 15:36:57 -0000    1.1.1.3
> +++ praudit.c    21 Aug 2007 14:26:43 -0000
> @@ -107,6 +107,7 @@
>          free(buf);
>          if (oneline)
>              printf("\n");
> +        fflush(stdout);
>      }
>      return (0);
>  }
>
my big thanks
this patch is working

/Vladimir Ermakov

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46CBE096.90805>