event loss with dispatcher?
Steve Grubb
sgrubb at redhat.com
Fri Nov 9 14:23:24 UTC 2007
On Thursday 08 November 2007 21:20:42 John Dennis wrote:
> Steve Grubb wrote:
> > On Thursday 08 November 2007 16:17:52 klausk at br.ibm.com wrote:
> >> Any tips on how can I debug this further?
>
> but by any chance could the missing audit data be explained by out of order
> event ID's in the audit stream?
No chance. :)
Audispd does not link against the audit parsing library nor has a concept of a
full event - it just distributes what it has. If the configuration option is
to send string data to plugins, it does convert the type number to a string
value by a lookup function in libaudit, but that's full extent of it doing
anything to the event its passing along.
-Steve
More information about the Linux-audit
mailing list