auparse delayed event emittance

[Giang Nguyen]

>>     - Do messages from different events ever get intermixed in the
>> output via audispd? And hence I need to cater for multiple simultaneous
>> events streaming in?
>
> Yes. This is a big problem. About 2 years ago I fixed this in ausearch/report.
> I started to fix this in libauparse but then I remembered it has this state
> machine in it to deal with the feed interface. I didn't write that code so it
> will take some time for me to figure out what it doing before fixing this
> problem. But basically you need a list of lists where each list is a
> collection of records that form one event.

Another, perhaps related, "issue" I have noticed is that libauparse
(auparse_next_event()), except for some known single-record events,
relies on a subsequent event coming in to detect that the current
accumulating event is complete. It compares and sees a different event
time stamp/serial than the one currently being accumulated. So, if I
have this sequence:

event1, record1 (time stamp = X)
event1, record2

// 10 seconds elapsed

event2 (time stamp = Y)

then libauparse won't call my auparse_callback() to notify me of
event1 until 10 seconds after event1 happened.
For my purpose, this delay is not ideal.
I looked into using auparse_flush_feed() after every auparse_feed(),
but it wouldn't work because that would mean I would get called back
for every record, not a complete event.

One possible fix is to make auparse know more about each different
type of event, perhaps as told by the application via some additional
API.
Do you think this design has any chance?

In the mean time, I guess I would do my own buffering/parsing on top
of auparse_feed() and tell it to auparse_flush_feed() when I know I
have a complete event. But this seems clunky, too.

Thanks.