From owner-freebsd-hackers@FreeBSD.ORG Wed Aug 22 07:07:17 2007 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F368816A418 for ; Wed, 22 Aug 2007 07:07:16 +0000 (UTC) (envelope-from samflanker@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.freebsd.org (Postfix) with ESMTP id 853ED13C4A7 for ; Wed, 22 Aug 2007 07:07:16 +0000 (UTC) (envelope-from samflanker@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so66011nfb for ; Wed, 22 Aug 2007 00:07:15 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=W3TNix//MyJrC8gv8PEWBR0YExpvzxCqs8R9kAVqLOFUpMiQVnLavGCVaJ4Q+h9AA1fL3Hw1jFTMAWqQw8yKT68lhIOA+NxPHwDxCh4IXKXFQ34U7lQcq9jU1zPGgnGYad7+GfywBhjZuPEm/qWkwyZ6KpJMGDTszW/vPTa6F10= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=O2/98tTxmvAa98DFTOhhLZvoESsDHAap1qhpumJHFk3egWeOf9tYuCM84zPDrrZ30Hx61GsINmsyOoPEp4YaeVE7J0nzZuSEXwEcvfUjV4AM8dJPiHhkxQnDLwB9DMwKkRzlrW3yeK/E0fFmUi2+y3OUeeRd6lSfkWgx4jpLa9U= Received: by 10.86.1.1 with SMTP id 1mr290540fga.1187766435220; Wed, 22 Aug 2007 00:07:15 -0700 (PDT) Received: from ?192.168.1.185? ( [213.152.137.35]) by mx.google.com with ESMTPS id d13sm559720fka.2007.08.22.00.07.09 (version=SSLv3 cipher=RC4-MD5); Wed, 22 Aug 2007 00:07:10 -0700 (PDT) Message-ID: <46CBE096.90805@gmail.com> Date: Wed, 22 Aug 2007 11:07:02 +0400 From: sam User-Agent: Thunderbird 2.0.0.4 (Windows/20070604) MIME-Version: 1.0 To: rwatson@FreeBSD.org References: <46C55191.2050205@gmail.com> <20070821145603.L50579@fledge.watson.org> <46CAF217.7040204@gmail.com> <20070821151108.Y53914@fledge.watson.org> <46CAF4E9.2030700@gmail.com> <20070821152327.R53914@fledge.watson.org> In-Reply-To: <20070821152327.R53914@fledge.watson.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-hackers@freebsd.org, trustedbsd-audit@FreeBSD.org, freebsd-audit@freebsd.org Subject: Re: praudit parse with gnu grep X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 07:07:17 -0000 Robert Watson wrote: > > On Tue, 21 Aug 2007, sam wrote: > >>>>>> # praudit /etc/auditpipe | grep "bla bla bla" & # praudit >>>>>> /etc/auditpipe | tee file.log >>>>>> >>>>>> this is not work please help me >>>>> >>>>> This thread is also on freebsd-hackers, but just to follow up here >>>>> as well for the purposes of the archives: >>>>> >>>>> - It's /dev/auditpipe not /etc/auditpipe >>>>> - If you're using grep, try --line-buffered >>>>> >>>> --line-buffered is not helped to me >>> >>> When you run praudit on /dev/auditpipe directly, do you get the >>> records you expect? >> >> yes > > So what are you getting or not getting that is unexpected when you run > with grep? Have you tried forcing lots of records of the type you > would be matching to be created to make sure the buffers are flushing > from praudit/grep/etc? The input/output buffers in stdio mean that > you may not see output immediately, the buffer has to fill enough to > trigger an I/O before that will happen. > > We could add an fflush call to praudit's output, which would flush the > I/O out the file descriptor, but that wouldn't necessarily solve > grep's buffering. The attached patch might do this. > > Robert N M Watson > Computer Laboratory > University of Cambridge > > Index: praudit.c > =================================================================== > RCS file: /data/fbsd-cvs/ncvs/src/contrib/openbsm/bin/praudit/praudit.c,v > retrieving revision 1.1.1.3 > diff -u -r1.1.1.3 praudit.c > --- praudit.c 16 Apr 2007 15:36:57 -0000 1.1.1.3 > +++ praudit.c 21 Aug 2007 14:26:43 -0000 > @@ -107,6 +107,7 @@ > free(buf); > if (oneline) > printf("\n"); > + fflush(stdout); > } > return (0); > } > my big thanks this patch is working /Vladimir Ermakov