AUDISP-AF_UNIX(8)	System Administration Utilities	     AUDISP-AF_UNIX(8)

NAME
       audisp-af_unix - plugin to push audit events to an af_unix socket

SYNOPSIS
       audisp-af_unix [ OPTIONS ]

DESCRIPTION
       audisp-af_unix is a plugin for the audit event dispatcher that sends
       audit events to an af_unix socket where other applications can read
       events. The args line of the af_unix.conf file expects three arguments:
       access mode, socket path, and output format. The access mode determines
       the permissions for the socket and defaults to 0640. The socket path
       specifies where the socket will be created, with the default location
       being /var/run/audispd_events. The output format determines the format
       in which events are delivered to the socket and supports two options:
       "string" and "binary". The "string" format delivers events in a human-
       readable form, while the "binary" format delivers events in their
       binary representation, which is essential for applications that need to
       process events in binary and reconstruct headers accurately. If the
       output format is not specified, the plugin defaults to the "string"
       format.

       The af_unix.conf file must also include the line format = binary. This
       setting specifies the input format that the audisp-af_unix plugin
       expects from the audit event dispatcher. It ensures that the input
       delivered to the plugin is in binary format, enabling the plugin to
       reconstruct headers in their proper binary structure.


FILES
       /etc/audit/plugins/af_unix.conf /etc/audit/auditd.conf

SEE ALSO
       auditd.conf(8), auditd-plugins(5).

AUTHOR
       Steve Grubb

Red Hat				   Apr 2023		     AUDISP-AF_UNIX(8)