Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I have a question: Why does the this "rawEvent, err := client.Receive(false)", I call only get the audit information once and will not get it again, but I see that the audit log has continuous output #154

Open
cyhChen1 opened this issue May 29, 2024 · 0 comments
Open

I have a question: Why does the this "rawEvent, err := client.Receive(false)", I call only get the audit information once and will not get it again, but I see that the audit log has continuous output #154

cyhChen1 opened this issue May 29, 2024 · 0 comments
Labels
question

Comments

@cyhChen1
Copy link

cyhChen1 commented May 29, 2024
edited by andrewkroh
Loading

Here's how I use it, and I have to manually add audit rules

// 创建一个新的Audit客户端
client, err := libaudit.NewAuditClient(nil)
if err != nil {
	log.Fatalf("无法创建Audit客户端: %v", err)
}
defer client.Close()

// 设置Audit客户端接收事件
if err := client.SetPID(libaudit.NoWait); err != nil {
	log.Fatalf("无法设置PID: %v", err)
}

fmt.Println("开始监听审计事件...")
// 创建一个退出信号通道
exitChan := make(chan struct{})

go func() {
	for {
		select {
		case <-exitChan:
			return
		default:
			// 接收原始审计消息
			rawEvent, err := client.Receive(false)
			if err != nil {
				log.Printf("接收Audit事件失败: %v", err)
				continue
			}

			if rawEvent == nil {
				log.Println("接收到空的事件")
				continue
			}

			log.Printf("接收到的原始事件数据: Type=%d, Data=%s", rawEvent.Type, string(rawEvent.Data))

			// 检查消息长度是否合理
			if len(rawEvent.Data) == 0 {
				log.Println("收到无效的审计消息:数据长度为0")
				continue
			}

			// 打印解析出的消息
			fmt.Printf("接收到事件: Type=%d, Message=%s\n", rawEvent.Type, string(rawEvent.Data))
		}
	}
}()
// 捕获系统信号以优雅地关闭客户端
sig := make(chan os.Signal, 1)
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
<-sig

fmt.Println("关闭Audit客户端")
// 向退出信号通道发送信号
close(exitChan)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewkroh @cyhChen1