Fix unit tests

CMakeLists.txt

@@ -273,14 +273,17 @@ target_link_libraries(ConfigTests ${Boost_LIBRARIES})
 add_test(Config ${CMAKE_BINARY_DIR}/ConfigTests --log_sink=ConfigTests.log --report_sink=ConfigTests.report)
 
 add_executable(EventTests
-        TempFile.cpp
+        TempDir.cpp
         Logger.cpp
-        Queue.cpp
+        PriorityQueue.cpp
+        FileUtils.cpp
         Event.cpp
         EventTests.cpp
 )
 
-target_link_libraries(EventTests ${Boost_LIBRARIES})
+target_link_libraries(EventTests ${Boost_LIBRARIES}
+        pthread
+)
 
 add_test(Event ${CMAKE_BINARY_DIR}/EventTests --log_sink=EventTests.log --report_sink=EventTests.report)
 
@@ -360,8 +363,6 @@ add_executable(EventProcessorTests
 )
 
 target_link_libraries(EventProcessorTests ${Boost_LIBRARIES}
-        audit
-        auparse
         dl
         pthread
         rt
@@ -383,8 +384,6 @@ add_executable(ExecveConverterTests
 )
 
 target_link_libraries(ExecveConverterTests ${Boost_LIBRARIES}
-        audit
-        auparse
         dl
         pthread
         rt

EventProcessorTests.cpp

@@ -17,7 +17,7 @@
 #define BOOST_TEST_MODULE "EventProcessorTests"
 #include <boost/test/unit_test.hpp>
 
-#include "Queue.h"
+#include "PriorityQueue.h"
 #include "Logger.h"
 #include "TempDir.h"
 #include "TestEventData.h"
@@ -47,7 +47,7 @@ class RawEventQueue: public IEventBuilderAllocator {
 public:
     explicit RawEventQueue(std::shared_ptr<RawEventProcessor> proc): _buffer(), _size(0), _proc(std::move(proc)) {}
 
-    int Allocate(void** data, size_t size) override {
+    bool Allocate(void** data, size_t size) override {
         if (_size != size) {
             _size = size;
         }
@@ -55,18 +55,18 @@ public:
             _buffer.resize(_size);
         }
         *data = _buffer.data();
-        return 1;
+        return true;
     }
 
-    int Commit() override {
+    bool Commit() override {
         _proc->ProcessData(_buffer.data(), _size);
         _size = 0;
-        return 1;
+        return true;
     }
 
-    int Rollback() override {
+    bool Rollback() override {
         _size = 0;
-        return 1;
+        return true;
     }
 
 private:

EventTests.cpp

@@ -18,20 +18,20 @@
 #define BOOST_TEST_MODULE "EventTests"
 #include <boost/test/unit_test.hpp>
 
-#include "Queue.h"
+#include "PriorityQueue.h"
 #include "EventQueue.h"
-#include "TempFile.h"
+#include "TempDir.h"
 
 
 
 BOOST_AUTO_TEST_CASE( test )
 {
-    TempFile file("/tmp/EventTests.");
+    TempDir dir("/tmp/EventTests.");
 
-    auto queue = std::make_shared<Queue>(file.Path(), 64*1024);
+    auto queue = PriorityQueue::Open(dir.Path(), 8, 16*1024,8, 0, 100, 0);
     auto event_queue = std::make_shared<EventQueue>(queue);
 
-    queue->Open();
+    auto cursor = queue->OpenCursor("event_test");
 
     EventBuilder builder(event_queue);
 
@@ -82,15 +82,12 @@ BOOST_AUTO_TEST_CASE( test )
         BOOST_FAIL("EndEvent failed: " + std::to_string(ret));
     }
 
-    char buffer[64*1024];
-    void* data = reinterpret_cast<void*>(buffer);
-    size_t size = sizeof(buffer);
-    QueueCursor cursor = QueueCursor::TAIL;
-    if (queue->Get(cursor, data, &size, &cursor, 10) <= 0) {
+    auto rval = cursor->Get(0);
+    if (!rval.first) {
         BOOST_FAIL("Queue didn't have any data in it!");
     }
 
-    Event event(data, size);
+    Event event(rval.first->Data(), rval.first->Size());
 
     BOOST_CHECK_EQUAL(event.Seconds(), 1);
     BOOST_CHECK_EQUAL(event.Milliseconds(), 3);
@@ -223,11 +220,12 @@ BOOST_AUTO_TEST_CASE( test )
         BOOST_FAIL("EndEvent failed: " + std::to_string(ret));
     }
 
-    size = sizeof(buffer);
-    if (queue->Get(cursor, data, &size, &cursor, 10) <= 0) {
+    rval = cursor->Get(0);
+    if (!rval.first) {
         BOOST_FAIL("Queue didn't have any data in it!");
     }
-    event = Event(data, size);
+
+    event = Event(rval.first->Data(), rval.first->Size());
 
     BOOST_CHECK_EQUAL(event.Pid(), -1);
 

ExecveConverterTests.cpp

@@ -37,7 +37,7 @@ class RawEventQueue: public IEventBuilderAllocator {
 public:
     explicit RawEventQueue(std::vector<std::string>& cmdlines): _buffer(), _size(0), _cmdlines(cmdlines) {}
 
-    int Allocate(void** data, size_t size) override {
+    bool Allocate(void** data, size_t size) override {
         if (_size != size) {
             _size = size;
         }
@@ -45,10 +45,10 @@ public:
             _buffer.resize(_size);
         }
         *data = _buffer.data();
-        return 1;
+        return true;
     }
 
-    int Commit() override {
+    bool Commit() override {
         Event event(_buffer.data(), _size);
         std::vector<EventRecord> recs;
         for(auto& rec :event) {
@@ -59,12 +59,12 @@ public:
         _converter.Convert(recs, _cmdline);
         _cmdlines.emplace_back(_cmdline);
         _size = 0;
-        return 1;
+        return true;
     }
 
-    int Rollback() override {
+    bool Rollback() override {
         _size = 0;
-        return 1;
+        return true;
     }
 
 private:

TestEventData.cpp

@@ -127,6 +127,7 @@ const std::vector<TestEvent> test_events {
                 // EXECVE
                 {"argc", "6", nullptr, field_type_t::UNCLASSIFIED},
                 {"cmdline", "logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"", nullptr, field_type_t::UNESCAPED},
+                {"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
             }}}
         },
         {1521757638, 392, 262333, 1, 26918, {
@@ -159,6 +160,7 @@ const std::vector<TestEvent> test_events {
                 // EXECVE
                 {"argc", "6", nullptr, field_type_t::UNCLASSIFIED},
                 {"cmdline", "logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"", nullptr, field_type_t::UNESCAPED},
+                {"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
             }}}
         },
         {1521757638, 392, 262334, 1, -1, {
@@ -182,6 +184,7 @@ const std::vector<TestEvent> test_events {
                 // EXECVE
                 {"argc", "6", nullptr, field_type_t::UNCLASSIFIED},
                 {"cmdline", "logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"", nullptr, field_type_t::UNESCAPED},
+                {"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
             }}}
         },
         {1521773704, 435, 270957, 0, -1, {
@@ -252,6 +255,7 @@ const std::vector<TestEvent> test_events {
                 {"exe", "\"/usr/sbin/chronyd\"", nullptr, field_type_t::ESCAPED},
                 {"key", "\"time-change\"", "time-change", field_type_t::ESCAPED_KEY},
                 {"proctitle", "/usr/sbin/chronyd", nullptr, field_type_t::PROCTITLE},
+                {"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
             }}}
         },
         {1563470055, 872, 7605215, 1, 91098, {
@@ -300,6 +304,7 @@ const std::vector<TestEvent> test_events {
                 // EXECVE
                 {"argc", "5", nullptr, field_type_t::UNCLASSIFIED},
                 {"cmdline", "iptables -w -t security --flush", nullptr, field_type_t::UNESCAPED},
+                {"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
             }}}
         },
         {1563470055, 876, 7605216, 1, 91098, {
@@ -333,6 +338,7 @@ const std::vector<TestEvent> test_events {
                 {"NETFILTER_CFG_table", "security", nullptr, field_type_t::UNCLASSIFIED},
                 {"NETFILTER_CFG_family", "2", nullptr, field_type_t::NFPROTO},
                 {"NETFILTER_CFG_entries", "4", nullptr, field_type_t::UNCLASSIFIED},
+                {"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
             }}}
         },
         {1572298453, 690, 5717, 1, 1450, {
@@ -363,6 +369,7 @@ const std::vector<TestEvent> test_events {
                 {"exe", "\"/usr/sbin/agetty\"", nullptr, field_type_t::ESCAPED},
                 {"key", "(null)", nullptr, field_type_t::ESCAPED_KEY},
                 {"INTEGRITY_POLICY_RULE_unparsed_text", "IPE=ctx ( op: [execute] dmverity_verified: [false] boot_verified: [true] audit_pathname: [/usr/lib/libc-2.28.so] )  [ action = allow ] [ boot_verified = true ]", nullptr, field_type_t::UNESCAPED},
+                {"containerid", "", nullptr, field_type_t::UNCLASSIFIED},
             }}}
         },
 };
@@ -375,12 +382,12 @@ const std::vector<const char*> oms_test_events = {
 };
 */
 const std::vector<const char*> oms_test_events = {
-        R"event([1521757638.392,{"MessageType":"AUOMS_EVENT","Timestamp":"1521757638.392","SerialNumber":262332,"ProcessFlags":0,"records":[{"RecordTypeCode":14688,"RecordType":"AUOMS_EXECVE","arch":"x86_64","syscall":"execve","success":"yes","exit":"0","a0":"55d782c96198","a1":"55d782c96120","a2":"55d782c96158","a3":"1","ppid":"26595","pid":"26918","audit_user":"root","auid":"0","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"842","comm":"logger","exe":"/usr/bin/logger","key":"auoms,execve","key_r":"61756F6D7301657865637665","cwd":"/","name":"/usr/bin/logger","inode":"312545","dev":"00:13","mode":"file,755","o_user":"root","ouid":"0","owner_group":"root","ogid":"0","rdev":"00:00","nametype":"NORMAL","path_name":"[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_mode":"[\"0100755\",\"0100755\"]","path_ouid":"[\"0\",\"0\"]","path_ogid":"[\"0\",\"0\"]","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \""}]}])event",
-        R"event([1521757638.392,{"MessageType":"AUOMS_EVENT","Timestamp":"1521757638.392","SerialNumber":262333,"ProcessFlags":0,"records":[{"RecordTypeCode":14688,"RecordType":"AUOMS_EXECVE","arch":"x86_64","syscall":"execve","success":"yes","exit":"0","a0":"55d782c96198","a1":"55d782c96120","a2":"55d782c96158","a3":"1","ppid":"26595","pid":"26918","audit_user":"root","auid":"0","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"842","comm":"logger","exe":"/usr/bin/logger","key":"(null)","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \""}]}])event",
-        R"event([1521757638.392,{"MessageType":"AUOMS_EVENT","Timestamp":"1521757638.392","SerialNumber":262334,"ProcessFlags":0,"records":[{"RecordTypeCode":10002,"RecordType":"AUOMS_SYSCALL_FRAGMENT","cwd":"/","name":"/usr/bin/logger","inode":"312545","dev":"00:13","mode":"file,755","o_user":"root","ouid":"0","owner_group":"root","ogid":"0","rdev":"00:00","nametype":"NORMAL","path_name":"[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_mode":"[\"0100755\",\"0100755\"]","path_ouid":"[\"0\",\"0\"]","path_ogid":"[\"0\",\"0\"]","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \""}]}])event",
+        R"event([1521757638.392,{"MessageType":"AUOMS_EVENT","Timestamp":"1521757638.392","SerialNumber":262332,"ProcessFlags":0,"records":[{"RecordTypeCode":14688,"RecordType":"AUOMS_EXECVE","arch":"x86_64","syscall":"execve","success":"yes","exit":"0","a0":"55d782c96198","a1":"55d782c96120","a2":"55d782c96158","a3":"1","ppid":"26595","pid":"26918","audit_user":"root","auid":"0","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"842","comm":"logger","exe":"/usr/bin/logger","key":"auoms,execve","key_r":"61756F6D7301657865637665","cwd":"/","name":"/usr/bin/logger","inode":"312545","dev":"00:13","mode":"file,755","o_user":"root","ouid":"0","owner_group":"root","ogid":"0","rdev":"00:00","nametype":"NORMAL","path_name":"[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_mode":"[\"0100755\",\"0100755\"]","path_ouid":"[\"0\",\"0\"]","path_ogid":"[\"0\",\"0\"]","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"","containerid":""}]}])event",
+        R"event([1521757638.392,{"MessageType":"AUOMS_EVENT","Timestamp":"1521757638.392","SerialNumber":262333,"ProcessFlags":0,"records":[{"RecordTypeCode":14688,"RecordType":"AUOMS_EXECVE","arch":"x86_64","syscall":"execve","success":"yes","exit":"0","a0":"55d782c96198","a1":"55d782c96120","a2":"55d782c96158","a3":"1","ppid":"26595","pid":"26918","audit_user":"root","auid":"0","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"842","comm":"logger","exe":"/usr/bin/logger","key":"(null)","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"","containerid":""}]}])event",
+        R"event([1521757638.392,{"MessageType":"AUOMS_EVENT","Timestamp":"1521757638.392","SerialNumber":262334,"ProcessFlags":0,"records":[{"RecordTypeCode":10002,"RecordType":"AUOMS_SYSCALL_FRAGMENT","cwd":"/","name":"/usr/bin/logger","inode":"312545","dev":"00:13","mode":"file,755","o_user":"root","ouid":"0","owner_group":"root","ogid":"0","rdev":"00:00","nametype":"NORMAL","path_name":"[\"/usr/bin/logger\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_mode":"[\"0100755\",\"0100755\"]","path_ouid":"[\"0\",\"0\"]","path_ogid":"[\"0\",\"0\"]","argc":"6","cmdline":"logger -t zfs-backup -p daemon.err \"zfs incremental backup of rpool/lxd failed: \"","containerid":""}]}])event",
         R"event([1562867403.686,{"MessageType":"AUDIT_EVENT","Timestamp":"1562867403.686","SerialNumber":4179743,"ProcessFlags":0,"records":[{"RecordTypeCode":1112,"RecordType":"USER_LOGIN","pid":"26475","user":"root","uid":"0","audit_user":"user","auid":"1000","ses":"91158","op":"login","id":"user","id_r":"1000","exe":"/usr/sbin/sshd","hostname":"131.107.147.6","addr":"131.107.147.6","terminal":"/dev/pts/0","res":"success"}]}])event",
-        R"event([1563459621.014,{"MessageType":"AUOMS_EVENT","Timestamp":"1563459621.014","SerialNumber":574,"ProcessFlags":0,"records":[{"RecordTypeCode":10001,"RecordType":"AUOMS_SYSCALL","arch":"x86_64","syscall":"adjtimex","success":"yes","exit":"0","a0":"7ffc9aa65d80","a1":"0","a2":"270b","a3":"7ffc9aa65e40","ppid":"1","pid":"1655","audit_user":"unset","auid":"4294967295","user":"_chrony","uid":"123","group":"_chrony","gid":"132","effective_user":"_chrony","euid":"123","set_user":"_chrony","suid":"123","filesystem_user":"_chrony","fsuid":"123","effective_group":"_chrony","egid":"132","set_group":"_chrony","sgid":"132","filesystem_group":"_chrony","fsgid":"132","tty":"(none)","ses":"-1","comm":"chronyd","exe":"/usr/sbin/chronyd","key":"time-change","key_r":"\"time-change\"","proctitle":"/usr/sbin/chronyd"}]}])event",
-        R"event([1563470055.872,{"MessageType":"AUOMS_EVENT","Timestamp":"1563470055.872","SerialNumber":7605215,"ProcessFlags":0,"records":[{"RecordTypeCode":14688,"RecordType":"AUOMS_EXECVE","arch":"x86_64","syscall":"execve","success":"yes","exit":"0","a0":"ad1150","a1":"ad03d0","a2":"ad0230","a3":"fc2c9fc5","ppid":"16244","pid":"91098","audit_user":"unset","auid":"4294967295","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"-1","comm":"iptables","exe":"/usr/sbin/xtables-multi","key":"auoms","key_r":"\"auoms\"","cwd":"/var/lib/waagent","name":"/usr/sbin/iptables","inode":"1579593","dev":"08:02","mode":"file,755","o_user":"root","ouid":"0","owner_group":"root","ogid":"0","rdev":"00:00","nametype":"NORMAL","path_name":"[\"/usr/sbin/iptables\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_mode":"[\"0100755\",\"0100755\"]","path_ouid":"[\"0\",\"0\"]","path_ogid":"[\"0\",\"0\"]","argc":"5","cmdline":"iptables -w -t security --flush"}]}])event",
-        R"event([1563470055.876,{"MessageType":"AUOMS_EVENT","Timestamp":"1563470055.876","SerialNumber":7605216,"ProcessFlags":0,"records":[{"RecordTypeCode":10001,"RecordType":"AUOMS_SYSCALL","arch":"x86_64","syscall":"setsockopt","success":"yes","exit":"0","a0":"4","a1":"0","a2":"40","a3":"c31600","ppid":"16244","pid":"91098","audit_user":"unset","auid":"4294967295","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"-1","comm":"iptables","exe":"/usr/sbin/xtables-multi","key":"(null)","proctitle":"/bin/sh -c \"iptables -w -t security --flush\"","NETFILTER_CFG_table":"security","NETFILTER_CFG_family":"2","NETFILTER_CFG_entries":"4"}]}])event",
-        R"event([1572298453.69,{"MessageType":"AUOMS_EVENT","Timestamp":"1572298453.690","SerialNumber":5717,"ProcessFlags":0,"records":[{"RecordTypeCode":10001,"RecordType":"AUOMS_SYSCALL","arch":"aarch64","syscall":"mmap","success":"yes","exit":"281129964019712","a0":"0","a1":"16a048","a2":"5","a3":"802","ppid":"1","pid":"1450","audit_user":"unset","auid":"4294967295","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"-1","comm":"agetty","exe":"/usr/sbin/agetty","key":"(null)","INTEGRITY_POLICY_RULE_unparsed_text":"IPE=ctx ( op: [execute] dmverity_verified: [false] boot_verified: [true] audit_pathname: [/usr/lib/libc-2.28.so] )  [ action = allow ] [ boot_verified = true ]"}]}])event",
+        R"event([1563459621.014,{"MessageType":"AUOMS_EVENT","Timestamp":"1563459621.014","SerialNumber":574,"ProcessFlags":0,"records":[{"RecordTypeCode":10001,"RecordType":"AUOMS_SYSCALL","arch":"x86_64","syscall":"adjtimex","success":"yes","exit":"0","a0":"7ffc9aa65d80","a1":"0","a2":"270b","a3":"7ffc9aa65e40","ppid":"1","pid":"1655","audit_user":"unset","auid":"4294967295","user":"_chrony","uid":"123","group":"_chrony","gid":"132","effective_user":"_chrony","euid":"123","set_user":"_chrony","suid":"123","filesystem_user":"_chrony","fsuid":"123","effective_group":"_chrony","egid":"132","set_group":"_chrony","sgid":"132","filesystem_group":"_chrony","fsgid":"132","tty":"(none)","ses":"-1","comm":"chronyd","exe":"/usr/sbin/chronyd","key":"time-change","key_r":"\"time-change\"","proctitle":"/usr/sbin/chronyd","containerid":""}]}])event",
+        R"event([1563470055.872,{"MessageType":"AUOMS_EVENT","Timestamp":"1563470055.872","SerialNumber":7605215,"ProcessFlags":0,"records":[{"RecordTypeCode":14688,"RecordType":"AUOMS_EXECVE","arch":"x86_64","syscall":"execve","success":"yes","exit":"0","a0":"ad1150","a1":"ad03d0","a2":"ad0230","a3":"fc2c9fc5","ppid":"16244","pid":"91098","audit_user":"unset","auid":"4294967295","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"-1","comm":"iptables","exe":"/usr/sbin/xtables-multi","key":"auoms","key_r":"\"auoms\"","cwd":"/var/lib/waagent","name":"/usr/sbin/iptables","inode":"1579593","dev":"08:02","mode":"file,755","o_user":"root","ouid":"0","owner_group":"root","ogid":"0","rdev":"00:00","nametype":"NORMAL","path_name":"[\"/usr/sbin/iptables\",\"/lib64/ld-linux-x86-64.so.2\"]","path_nametype":"[\"NORMAL\",\"NORMAL\"]","path_mode":"[\"0100755\",\"0100755\"]","path_ouid":"[\"0\",\"0\"]","path_ogid":"[\"0\",\"0\"]","argc":"5","cmdline":"iptables -w -t security --flush","containerid":""}]}])event",
+        R"event([1563470055.876,{"MessageType":"AUOMS_EVENT","Timestamp":"1563470055.876","SerialNumber":7605216,"ProcessFlags":0,"records":[{"RecordTypeCode":10001,"RecordType":"AUOMS_SYSCALL","arch":"x86_64","syscall":"setsockopt","success":"yes","exit":"0","a0":"4","a1":"0","a2":"40","a3":"c31600","ppid":"16244","pid":"91098","audit_user":"unset","auid":"4294967295","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"-1","comm":"iptables","exe":"/usr/sbin/xtables-multi","key":"(null)","proctitle":"/bin/sh -c \"iptables -w -t security --flush\"","NETFILTER_CFG_table":"security","NETFILTER_CFG_family":"2","NETFILTER_CFG_entries":"4","containerid":""}]}])event",
+        R"event([1572298453.69,{"MessageType":"AUOMS_EVENT","Timestamp":"1572298453.690","SerialNumber":5717,"ProcessFlags":0,"records":[{"RecordTypeCode":10001,"RecordType":"AUOMS_SYSCALL","arch":"aarch64","syscall":"mmap","success":"yes","exit":"281129964019712","a0":"0","a1":"16a048","a2":"5","a3":"802","ppid":"1","pid":"1450","audit_user":"unset","auid":"4294967295","user":"root","uid":"0","group":"root","gid":"0","effective_user":"root","euid":"0","set_user":"root","suid":"0","filesystem_user":"root","fsuid":"0","effective_group":"root","egid":"0","set_group":"root","sgid":"0","filesystem_group":"root","fsgid":"0","tty":"(none)","ses":"-1","comm":"agetty","exe":"/usr/sbin/agetty","key":"(null)","INTEGRITY_POLICY_RULE_unparsed_text":"IPE=ctx ( op: [execute] dmverity_verified: [false] boot_verified: [true] audit_pathname: [/usr/lib/libc-2.28.so] )  [ action = allow ] [ boot_verified = true ]","containerid":""}]}])event",
 };

TestEventQueue.h

@@ -24,20 +24,20 @@
 
 class TestEventQueue: public IEventBuilderAllocator {
 public:
-    virtual int Allocate(void** data, size_t size) {
+    virtual bool Allocate(void** data, size_t size) {
         _buffer.resize(size);
         *data = _buffer.data();
-        return 1;
+        return true;
     }
 
-    virtual int Commit() {
+    virtual bool Commit() {
         _events.emplace_back(std::make_shared<std::vector<uint8_t>>(_buffer.begin(), _buffer.end()));
-        return 1;
+        return true;
     }
 
-    virtual int Rollback() {
+    virtual bool Rollback() {
         _buffer.resize(0);
-        return 1;
+        return true;
     }
 
     size_t GetEventCount() {