On Monday, June 5, 2023 6:17:28 PM EDT Vincent Abraham wrote: > Greetings, > Could anyone point me to a source for comprehensive documentation for the > Linux audit framework? I want to know how the framework interacts with the > kernel to retrieve log information.
If you look at the README page of the userspace portion of code, it mentions that there is a netlink api. It simply listens and writes what it finds to disk. Auditing must be enabled and you need to set the pid in the kernel and then listen for events. There is no extensive documentation - the code is the documentation to the low level API. There is also a best effort multicast netlink api that systemd-journald uses to get events out of the kernel. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit