Example of adding the system program KlogStorage to a solution to write audit data to a file
Source code of the program
klog_storage/src/klog_storage_entity.c
#include<klog_storage/server.h>#include<klog_storage/file_storage.h>#include<ping/KlogStorageEntity.edl.h>intmain(int argc, char *argv[]){
/* This function call starts the IPC request processing loop.
* The audit data will be written to the file /etc/klog_storage.log, which can
* hold no more than 100 entries. When the file is completely full, the previous
* entries will be replaced by new entries starting at the beginning of the file. If the last parameter
* of the function has a value other than 1, the KlogStorage program at startup
* opens the existing file and begins to write audit data at the specific position
* that was set in the file after the previous write operation. If the last
* parameter of the function has a value of 1, a new empty file will be created.
* (The constants ping_KlogStorageEntity_klogStorage_iidOffset and
* ping_KlogStorageEntity_klogStorage_storage_iid are defined in the header
* file KlogStorageEntity.edl.h, which contains the automatically generated
* transport code.) */returnklog_storage_file_storage_run(KLOG_STORAGE_SERVER_CONNECTION_ID,
"/etc/klog_storage.log",
ping_KlogStorageEntity_klogStorage_iidOffset,
ping_KlogStorageEntity_klogStorage_storage_iid,
100,
0);
}
Building a program
The difference between the CMake commands for building the KlogStorage program that writes audit data to a file and the CMake commands for building the version of this program that sends audit data to standard error comprises the following modification:
klog_storage/CMakeLists.txt
...
# When creating the executable file of the KlogStorage program, you must# link it to the klog_storage_file_storage library.target_link_libraries (KlogStorageEntity ${klog_storage_FILE_STORAGE_LIB})
...
Program process dictionary in the init description template
The difference between a policy description for a KlogStorage program that writes audit data to a file and a policy description for a version of this program that sends audit data to standard error comprises the following addition:
einit/src/security.psl.in
...
use EDL file_vfs.FileVfs
...
use vfs._
...
einit/src/vfs.psl
...
/* Interaction with the VFS program */
request dst=file_vfs.FileVfs {
match src=ping.KlogStorageEntity { grant () }
}
response src=file_vfs.FileVfs {
match dst=ping.KlogStorageEntity { grant () }
}
error src=file_vfs.FileVfs {
match dst=ping.KlogStorageEntity { grant () }
}
...
Forwarding audit data to other programs
To forward file-written audit data via IPC, the KlogStorage program provides the read and readRange interface methods defined in the file sysroot-*-kos/include/kl/KlogStorage.idl from the KasperskyOS SDK.
The executable file of the program that needs to receive the audit data must be linked to the client library of the KlogStorage program:
klog_reader/CMakeLists.txt
# Import KlogStorage libraries from the# KasperskyOS SDKfind_package (klog_storage REQUIRED)
include_directories (${klog_storage_INCLUDE})
...
# Create the executable file of the program that needs to# receive audit data from the KlogStorage program.add_executable (KlogReader "src/klog_reader.c")
target_link_libraries (KlogReader ${klog_storage_CLIENT_LIB})
...
Source code for receiving audit data from the KlogStorage program:
klog_reader/src/klog_reader.c
#include<klog_storage/client.h>
...
intmain(int argc, char *argv[]){
...
structKlog_storage_ctx *storage =
klog_storage_init(KLOG_STORAGE_SERVER_CONNECTION_ID);
structkl_KlogStorage_Entry first_entries[10], latest_entries [10];
/* Read the first ten entries */int f_count = klog_storage_read_range(klog_storage_IKlog_storage(storage),
1,
10,
first_entries);
/* Read the last ten entries */int l_count = klog_storage_read(klog_storage_IKlog_storage(storage),
10,
latest_entries);
...
}
Article ID: klogstorage_usage_example_file, Last review: Feb 20, 2025