Occasional delayed output of events
Paul Moore
paul at paul-moore.com
Sun Jan 17 14:07:08 UTC 2021
On Fri, Jan 15, 2021 at 9:43 PM Burn Alting <burn.alting at iinet.net.au> wrote:
> On Fri, 2021-01-15 at 19:35 -0500, Richard Guy Briggs wrote:
>> Or we go back to userspace code looking for the EOE record? This
>> doesn't help if they arrive out of order. Do we number the records in
>> the kernel? N of M...
>
> I like the N of M concept but there would be a LOT of change - especially for all the non-kernel event sources. The EOE would be the most seamless, but at a cost.
> My preference is to allow the 2 second 'timer' to be configurable.
Agree with Burn, numbering the records coming up from the kernel is
going to be a real nightmare, and not something to consider lightly.
Especially when it sounds like we don't yet have a root cause for the
issue.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list