EOE events in auparse output
Steve Grubb
sgrubb at redhat.com
Mon Dec 5 15:54:30 UTC 2016
On Monday, December 5, 2016 5:34:12 PM EST Nikolai Kondrashov wrote:
> However, since libauparse is supposed to provide the service of
> communicating event boundaries to its users, does it make sense for it to
> return the EOE record? Especially as a separate, empty event, which doesn't
> add any information?
I suppose it could be stripped from the event as its real purpose is locating
the event boundary. Since I don't know if the event will be relayed on to
another analytic processor I've just kept it there. For example, you could
have a realtime plugin that passes its information to another process for
correlation and escalation. In that case keeping the record makes sense. But
for xml/json it can be dropped because it has its own way of defining an event
boundary.
-Steve
More information about the Linux-audit
mailing list