[PATCH] ausearch: Add checkpoint capability and have incomplete logs carry forward when processing multiple audit.log files
Burn Alting
burn at swtf.dyndns.org
Sat May 11 05:59:34 UTC 2013
All,
Attached is a patch for review.
It is against revision 829 within http://svn.fedorahosted.org/svn/audit
This patch
- allows ausearch to checkpoint itself, in that, successive invocations
will only display new events. This is enabled via the --checkpoint fn
option. The mods to ausearch.8 describe the method of achieving this.
- fixes a minor annoyance/bug in that, when ausearch processes events
from multiple audit.log files, incomplete events are considered as
complete (and hence printed) when ausearch encounters an EOF on input
from all the log files being processed. Now, ausearch only flushes
incomplete events on the last log file being processed.
Regards
Burn Alting
-------------- next part --------------
A non-text attachment was scrubbed...
Name: auseach_mods_A.patch
Type: text/x-patch
Size: 22323 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130511/41b8fa8f/attachment.bin>
More information about the Linux-audit
mailing list