|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | SYNOPSIS | DESCRIPTION | SIGNAL HANDLING | SEE ALSO | AUTHOR | COLOPHON |
|
|
|
AUPLUGIN(3) Linux Audit API AUPLUGIN(3)
auplugin_init, auplugin_stop, auplugin_event_loop,
auplugin_event_feed - plugin event processing helpers
#include <auplugin.h>
int auplugin_init(int inbound_fd, unsigned queue_size, int
q_flags, const char *path);
void auplugin_stop(void);
void auplugin_event_loop(auplugin_callback_ptr callback);
int auplugin_event_feed(auparse_callback_ptr callback, unsigned
timer_interval, auplugin_timer_callback_ptr timer_cb);
auplugin_init initializes the plugin framework. The inbound_fd
parameter specifies the file descriptor that will provide audit
messages, typically standard input. The queue_size argument
controls the maximum number of events that may be queued for
processing. The q_flags parameter selects in-memory or file-backed
storage using the AUPLUGIN_Q_* constants defined in auplugin.h.
If q_flags includes AUPLUGIN_Q_IN_FILE, path specifies the backing
file. Any events already present in the file are queued on startup
so plugins resume processing previously unhandled records. The
library maintains global state for its queue and worker threads.
Only one plugin instance is supported, so callers must not invoke
auplugin_init() concurrently from multiple threads. The function
returns 0 on success or -1 if initialization fails.
auplugin_stop signals the framework to terminate. It is normally
called from a SIGTERM handler or other shutdown logic.
auplugin_event_loop starts a worker thread to deliver queued
events to the supplied callback function one record at a time. The
function blocks in the caller until auplugin_stop is invoked.
auplugin_event_feed behaves like auplugin_event_loop, except that
queued events are fed to libauparse. The provided callback must
match the auparse_callback_ptr type. The timer_interval argument
specifies how many seconds the worker thread will wait for new
records. A value of 0 disables the timer logic. When the interval
elapses, auparse_feed_age_events is called to flush aged events.
If timer_cb is not NULL, it is invoked with the interval before
the flush. Passing a timer_cb of NULL keeps the default behaviour
of calling auparse_feed_age_events only. The function returns 0 on
success or -1 if libauparse could not be initialized.
Plugins can query queue statistics with auplugin_queue_depth,
auplugin_queue_max_depth, and auplugin_queue_overflow. Register a
callback with auplugin_register_stats_callback, and invoke it
using auplugin_report_stats.
Plugins should establish signal handlers with sigaction(2) before
entering the event loop. The SIGTERM handler should call
auplugin_stop() to shut down the worker thread. Handlers for other
signals, such as SIGHUP or SIGUSR1, should set global flags that
are processed in the event or timer callbacks.
Example:
static volatile sig_atomic_t reload;
static void handler(int sig)
{
if (sig == SIGTERM)
auplugin_stop();
else if (sig == SIGHUP)
reload = 1;
}
auplugin_fgets(3), auparse_feed(3)
Steve Grubb
This page is part of the audit (Linux Audit) project. Information
about the project can be found at
⟨http://people.redhat.com/sgrubb/audit/⟩. If you have a bug report
for this manual page, send it to linux-audit@redhat.com. This
page was obtained from the project's upstream Git repository
⟨https://github.com/linux-audit/audit-userspace.git⟩ on
2025-08-11. (At that time, the date of the most recent commit
that was found in the repository was 2025-08-09.) If you discover
any rendering problems in this HTML version of the page, or you
believe there is a better or more up-to-date source for the page,
or you have corrections or improvements to the information in this
COLOPHON (which is not part of the original manual page), send a
mail to man-pages@man7.org
Red Hat June 2025 AUPLUGIN(3)
|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|