return r;
}
-/* Kernel fields are those occuring in the audit string before
+/* Kernel fields are those occurring in the audit string before
* msg='. All of these fields are trusted, hence carry the "_" prefix.
* We try to translate the fields we know into our native names. The
* other's are generically mapped to _AUDIT_FIELD_XYZ= */
{}
};
-/* Userspace fields are thos occuring in the audit string after
+/* Userspace fields are those occurring in the audit string after
* msg='. All of these fields are untrusted, hence carry no "_"
* prefix. We map the fields we don't know to AUDIT_FIELD_XYZ= */
static const MapField map_fields_userspace[] = {
if (!p)
return;
- if (sscanf(p, "(%" PRIi64 ".%" PRIi64 ":%" PRIi64 "):%n",
+ if (sscanf(p, "(%" PRIu64 ".%" PRIu64 ":%" PRIu64 "):%n",
&seconds,
&msec,
&id,
if (isempty(p))
return;
- n_iov_allocated = N_IOVEC_META_FIELDS + 5;
+ n_iov_allocated = N_IOVEC_META_FIELDS + 7;
iov = new(struct iovec, n_iov_allocated);
if (!iov) {
log_oom();
sprintf(id_field, "_AUDIT_ID=%" PRIu64, id);
IOVEC_SET_STRING(iov[n_iov++], id_field);
+ assert_cc(32 == LOG_AUTH);
+ IOVEC_SET_STRING(iov[n_iov++], "SYSLOG_FACILITY=32");
+ IOVEC_SET_STRING(iov[n_iov++], "SYSLOG_IDENTIFIER=audit");
+
m = alloca(strlen("MESSAGE=<audit-") + DECIMAL_STR_MAX(int) + strlen("> ") + strlen(p) + 1);
sprintf(m, "MESSAGE=<audit-%i> %s", type, p);
IOVEC_SET_STRING(iov[n_iov++], m);
if (r < 0)
return log_error_errno(errno, "Failed to set SO_PASSCRED on audit socket: %m");
- r = sd_event_add_io(s->event, &s->audit_event_source, s->audit_fd, EPOLLIN, process_datagram, s);
+ r = sd_event_add_io(s->event, &s->audit_event_source, s->audit_fd, EPOLLIN, server_process_datagram, s);
if (r < 0)
return log_error_errno(r, "Failed to add audit fd to event loop: %m");