I have a question: Why does the this "rawEvent, err := client.Receive(false)", I call only get the audit information once and will not get it again, but I see that the audit log has continuous output #154
Description
Here's how I use it, and I have to manually add audit rules
// 创建一个新的Audit客户端
client, err := libaudit.NewAuditClient(nil)
if err != nil {
log.Fatalf("无法创建Audit客户端: %v", err)
}
defer client.Close()
// 设置Audit客户端接收事件
if err := client.SetPID(libaudit.NoWait); err != nil {
log.Fatalf("无法设置PID: %v", err)
}
fmt.Println("开始监听审计事件...")
// 创建一个退出信号通道
exitChan := make(chan struct{})
go func() {
for {
select {
case <-exitChan:
return
default:
// 接收原始审计消息
rawEvent, err := client.Receive(false)
if err != nil {
log.Printf("接收Audit事件失败: %v", err)
continue
}
if rawEvent == nil {
log.Println("接收到空的事件")
continue
}
log.Printf("接收到的原始事件数据: Type=%d, Data=%s", rawEvent.Type, string(rawEvent.Data))
// 检查消息长度是否合理
if len(rawEvent.Data) == 0 {
log.Println("收到无效的审计消息:数据长度为0")
continue
}
// 打印解析出的消息
fmt.Printf("接收到事件: Type=%d, Message=%s\n", rawEvent.Type, string(rawEvent.Data))
}
}
}()
// 捕获系统信号以优雅地关闭客户端
sig := make(chan os.Signal, 1)
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
<-sig
fmt.Println("关闭Audit客户端")
// 向退出信号通道发送信号
close(exitChan)