<tt>Steve Grubb <sgrubb@redhat.com> wrote on 11/09/2007 12:56:41 PM: > On Friday 09 November 2007 12:15:43 klausk@br.ibm.com wrote: > > Trying to debug this problem, I saw that it's happening because the record > > 'machine' field in the auparse internal structure is set to '-1': > > That would do it. Now...how did that happen? arch says its a 64 bit S390 > machine. > </tt> <tt>From ellist.c, function parse_up_record():</tt> <tt> } else if(r->nv.cnt == 2 && strcmp(n.name, "arch")== 0){</tt> <tt> unsigned int ival;</tt> <tt> errno = 0;</tt> <tt> ival = strtoul(n.val, NULL, 16);</tt> <tt> if (errno) </tt> <tt> r->machine = -1;</tt> <tt> r->machine = audit_elf_to_machine(ival);</tt> <tt> } else if(r->nv.cnt == 3 && strcmp(n.name,</tt> <tt> "syscall") == 0){</tt> <tt> errno = 0;</tt> <tt> r->syscall = strtoul(n.val, NULL, 10);</tt> <tt> if (errno)</tt> <tt> r->syscall = -1;</tt> <tt>See that 'r->machine' and 'r->syscall' are only filled when the 'arch' field in found in the 2nd position, and syscall in the 3rd position respectively. That is not true when the dispatcher is appending a 'node=' field to each record.</tt> <tt>I just confirmed this behavior by setting 'name_format = NONE' in the audispd configuration, and then I was capable of seeing the 'arch=' field correctly interpreted to 's390x'</tt> <tt>I would provide a patch myself, but I'm not sure why you need to check the field position in this function (I mean, if the field is arch=, wouldn't it be interpreted no matter what position it is?)</tt> <tt>Thoughts?</tt> <tt> Thanks,</tt> <tt> Klaus</tt> -- Klaus Heinrich Kiwi/Brazil/IBM <klausk@br.ibm.com> Software Engineer IBM STG, Linux Technology Center Phone:(+55-19) 2132-1909 [T/L 839-1909]