1 files changed, 14 insertions, 0 deletions
diff --git a/src/organize.go b/src/organize.go
index 1b064c1..f5c9992 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -160,6 +160,20 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
                        syscallParam: a,
                        pathName:     "",
                })
+        case "write":
+                eventTable.Store(eventId, &Event{
+                        tag:          FILEWRITE,
+                        timestamp:    event.timestamp,
+                        syscall:      event.syscall,
+                        exit_code:    uint64(exit),
+                        ppid:         event.ppid,
+                        pid:          event.pid,
+                        argc:         0,
+                        argv:         make([]string, 0),
+                        cwd:          "",
+                        syscallParam: a,
+                        // pathName:     "",
+                })
        case "close":
                // 文件关闭
                eventTable.Store(eventId, &Event{

diff --git a/src/organize.go b/src/organize.go index 1b064c1..f5c9992 100644 --- a/src/organize.go +++ b/src/organize.go
@@ -160,6 +160,20 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
160	syscallParam: a,	160	syscallParam: a,
161	pathName: "",	161	pathName: "",
162	})	162	})
		163	case "write":
		164	eventTable.Store(eventId, &Event{
		165	tag: FILEWRITE,
		166	timestamp: event.timestamp,
		167	syscall: event.syscall,
		168	exit_code: uint64(exit),
		169	ppid: event.ppid,
		170	pid: event.pid,
		171	argc: 0,
		172	argv: make([]string, 0),
		173	cwd: "",
		174	syscallParam: a,
		175	// pathName: "",
		176	})
163	case "close":	177	case "close":
164	// 文件关闭	178	// 文件关闭
165	eventTable.Store(eventId, &Event{	179	eventTable.Store(eventId, &Event{