Patch to auparse to handle out of order messages 3 of 3
Burn Alting
burn at swtf.dyndns.org
Thu Jan 7 23:05:13 UTC 2016
Steve,
Can I suggest you modify src/ausearch-lol.c:check_events() to add in the
AUDIT_PROCTITLE check (will reduce memory overhead as events will be
flushed faster).
Also can we ask Richard put a comment into the appropriate location in
the kernel code to indicate the link between ausearch/aurport/auparse
depending on AUDIT_PROCTITLE being the last record of an event if
present.
Regards
On Thu, 2016-01-07 at 17:31 -0500, Steve Grubb wrote:
> On Wednesday, January 06, 2016 09:30:36 PM Burn Alting wrote:
> > #3 - modify the standard auparse() test code.
>
> And this patch is applied. Thanks, Burn, for all the patches! This will make
> analytical programs much more accurate since interlaced records won't split an
> event up any more.
>
> If anyone wants to try out the new audit code from svn please send any
> feedback asap. (Same with other bug reports.) I am aiming for a release in the
> next 2 days. I just have to finish working on Richard's audit by process name
> patch and then its time to release a new package.
>
> -Steve
More information about the Linux-audit
mailing list