NAME

       audisp-af_unix - plugin to push audit events to an af_unix socket

SYNOPSIS

       audisp-af_unix [ OPTIONS ]

DESCRIPTION

       audisp-af_unix  is  a  plugin for the audit event dispatcher that sends audit events to an af_unix socket
       where other applications can read events. The args line of the af_unix.conf file expects three arguments:
       access mode, socket path, and output format. The access mode determines the permissions  for  the  socket
       and  defaults  to  0640.  The  socket  path  specifies where the socket will be created, with the default
       location being /var/run/audispd_events. The output format determines  the  format  in  which  events  are
       delivered  to  the  socket  and supports two options: "string" and "binary". The "string" format delivers
       events  in  a  human-readable  form,  while  the  "binary"  format  delivers  events  in   their   binary
       representation, which is essential for applications that need to process events in binary and reconstruct
       headers accurately. If the output format is not specified, the plugin defaults to the "string" format.

       The af_unix.conf file must also include the line format = binary. This setting specifies the input format
       that  the  audisp-af_unix  plugin  expects  from  the  audit  event dispatcher. It ensures that the input
       delivered to the plugin is in binary format, enabling the plugin to reconstruct headers in  their  proper
       binary structure.

FILES

       /etc/audit/plugins/af_unix.conf /etc/audit/auditd.conf

SEE ALSO

       auditd.conf(8), auditd-plugins(5).

AUTHOR

       Steve Grubb

Red Hat                                             Apr 2023                                   AUDISP-AF_UNIX(8)