From owner-freebsd-hackers@FreeBSD.ORG  Tue Aug 21 13:31:12 2007
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C6B1B16A41B
	for <freebsd-hackers@freebsd.org>; Tue, 21 Aug 2007 13:31:12 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 6198813C4A7
	for <freebsd-hackers@freebsd.org>; Tue, 21 Aug 2007 13:31:12 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id 37118483CF;
	Tue, 21 Aug 2007 09:31:11 -0400 (EDT)
Date: Tue, 21 Aug 2007 14:31:11 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Eric Crist <mnslinky@gmail.com>
In-Reply-To: <80FA5D23-FA4E-4D1D-87E8-B06E4931C48D@gmail.com>
Message-ID: <20070821142858.C50579@fledge.watson.org>
References: <46C9528D.8010201@gmail.com>
	<20070821123943.N50579@fledge.watson.org>
	<46CADFF9.2000700@gmail.com>
	<C48660DC-BD8A-4D38-A0BC-4707921E4799@gmail.com>
	<46CAE6C7.5060706@gmail.com>
	<80FA5D23-FA4E-4D1D-87E8-B06E4931C48D@gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-hackers@freebsd.org, sam <samflanker@gmail.com>
Subject: Re: work praudit with tee & grep
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2007 13:31:12 -0000


On Tue, 21 Aug 2007, Eric Crist wrote:

>> thx this not working wite up buffer-pipe to 4096 bytes
>
> Can I ask what is in the /etc/auditpipe file?

I believe what is meant is /dev/auditpipe, which provides a live event stream 
from the kernel's audit subsystem in FreeBSD 6.2 and later.  You can read more 
about the event audit facility here:

   http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit.html

The auditpipe(4) man page provides more detailed information on audit pipes, 
which, unlike the trail files in /var/audit, provide live streams in a lossy 
way, and allow applications to push filters into the kernel as to what events 
they are interested in hearing about.

Robert N M Watson
Computer Laboratory
University of Cambridge