work praudit with tee & grep

Robert Watson rwatson at
Tue Aug 21 06:31:12 PDT 2007

On Tue, 21 Aug 2007, Eric Crist wrote:

>> thx this not working wite up buffer-pipe to 4096 bytes
> Can I ask what is in the /etc/auditpipe file?

I believe what is meant is /dev/auditpipe, which provides a live event stream 
from the kernel's audit subsystem in FreeBSD 6.2 and later.  You can read more 
about the event audit facility here:

The auditpipe(4) man page provides more detailed information on audit pipes, 
which, unlike the trail files in /var/audit, provide live streams in a lossy 
way, and allow applications to push filters into the kernel as to what events 
they are interested in hearing about.

Robert N M Watson
Computer Laboratory
University of Cambridge

More information about the freebsd-hackers mailing list