<html><body> I just reran the stress test using audit 8-1 and the .40 kernel, and I have a question about the continuation of records from one log file to another. End of audit.log.1: type=PATH msg=audit(1116457159.607:12637620): item=0 name="stress2_dir" type=SYSCALL msg=audit(1116457159.607:12637620): syscall=90 arch=c000003e success=no exit=-2 a0=7fbffffb80 a1=0 a2=ffffffffffffffc0 a3=7 items=1 pid=24388 loginuid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="stress2_test" exe="/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress2_test" type=PATH msg=audit(1116457159.607:12637634): item=0 name="stress2_dir" inode=5111949 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 Start of audit.log.2: type=PATH msg=audit(1116457158.064:12321219): item=0 name="stress1_dir" inode=5111949 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=SYSCALL msg=audit(1116457158.064:12321219): syscall=83 arch=c000003e success=yes exit=0 a0=7fbffffbe0 a1=1ff a2=402136 a3=0 items=1 pid=24343 loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="stress1_test" exe="/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress1_test" type=PATH msg=audit(1116457158.064:12321233): item=0 name="stress1_dir" inode=5111963 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 Start of audit.log: type=SYSCALL msg=audit(1116457159.607:12637634): syscall=84 arch=c000003e success=no exit=-2 a0=7fbffffb80 a1=2 a2=ffffffffffffffc0 a3=5f32737365727473 items=1 pid=24388 loginuid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="stress2_test" exe="/rhcc/eal4/tests/LTP/ltp-full/testcases/audit/stress/stress2_test" I was expecting the SYSCALL line for (1116457159.607:12637634) at the start of audit.log.2, but it is at the start of audit.log. Can you explain the rotation order to me? Thanks! Kris Wilson Linux Security (512) 838-0126 T/L:678-0126 krisw@us.ibm.com</body></html>