I'm writing an auditd plugin to record activity and report it to an external server for reporting. In my testing, I enabled pam_tty_audit.

After running test data through it, I notice that when logged in as root, the tty events are sent in real time, and not cached in the event queue.

When running as a user, the events are only spit out by the dispatcher (and presumably downstream in the auditd daemon) much later - presumably when the cache is full. I've seen some events sit in the queue for over 8 hours on unattended machines.

The other difference is the root tty events are sent as individual events, whereas the user events are collected and sent as a single compound event. I've tried various configuration changes, but this behavior seems to be set in stone.

While I can probably parse out / separate the compound events (though would rather not, if possible), the big deal is the cache delay.

Is there a way of forcing the system to send tty events (or for that matter, all) to the plugin in near real time as with root?