Proposed additions to ausearch

[Burn Alting]

Thanks Steve,

I will check it out and re-fit patches over the next few days and submit
individual patches for review.

Rgds

Burn


On Mon, 2013-05-06 at 18:04 -0400, Steve Grubb wrote:
> On Monday, May 06, 2013 09:53:40 AM Steve Grubb wrote:
> > >         - a new option will print out more parser friendly output for
> > >         interpreted mode
> > 
> > I am in the midst of coalescing the interpreters into one. I know this
> > sounds  crazy, but ausearch and auparse both had independent copies of
> > nearly the same material. The problem was they both keep data formatted
> > completely different and that made combining them a challenge. I think
> > auparse has a faster lookup algorithm but it allocates memory for the
> > translation. So, I hope they cancel each other out.
> > 
> > My point in mentioning this is that I am probably in the middle of changing 
> > code you hooked into. The work is checked in but still in progress. The
> > first step was to create a common API for 3 functions used in translating
> > fields. (This is checked in.) The next step is to link ausearch against
> > auparse with the ausearch functions commented out. The final step is to
> > remove all the unneeded code from ausearch. (I should be doing this today.)
> 
> All changes are checked into svn for this interpreter switch over. So far my 
> testing shows that although ausearch malloc/frees about 6 times as much as it 
> used to, the lookup algorithms in auparse are superior and we actually have 
> about a 20% speed improvement in the outputting of interpreted results. 
> Searching is not any faster. 
> 
> At this point, the code should be stable in this area if you want to retest 
> and start sending patches.
> 
> Thanks,
> -Steve