auparse_feed callback on EOE record
Steve Grubb
sgrubb at redhat.com
Sat Jun 15 18:28:05 UTC 2019
Hello,
On Wednesday, June 12, 2019 3:05:40 AM EDT Tarun Ramesh wrote:
> Also I noticed that the EOE record is treated as its own event even though
> there were other records with the same audit serial number. I guess this is
> expected as after EOE there will be no more records for this event and if
> EOE was treated as a part of the previous event, then it will not be
> possible to tell when this event is complete.
This turns out to be a benign bug. Auparse has some heuristics to determine
the end of an event as quickly as possible. It appears that it determined the
event was complete before the EOE event arrived and thus the EOE event had no
existing event to get added to. I fixed auparse to eat standalone EOE events
since they are meaningless on their own. Thanks for reporting this issue.
-Steve
More information about the Linux-audit
mailing list