comparing record ids in auparse
Steve Grubb
sgrubb at redhat.com
Wed Sep 5 16:23:59 UTC 2007
On Wednesday 05 September 2007 12:11:46 John Dennis wrote:
> In the functions auparse_timestamp_compare() and events_are_equal() the
> host field is not checked, is that by design or omission?
When the API was designed, the node was not part of the records. Its only
since audit-1.6 that it was. I had not considered adding a node check since
the function was originally there to add comparing two datatypes that are not
straight forward.
> Should two different events from two different hosts be comparable?
In a consolidated log, they are not equal. I suppose that should be fixed in
the next release.
> Are we too far down the road to call this object an 'event_id'?
Yes.
-Steve
More information about the Linux-audit
mailing list