Occasional delayed output of events
Steve Grubb
sgrubb at redhat.com
Sun Jan 17 21:12:32 UTC 2021
On Sunday, January 17, 2021 9:07:08 AM EST Paul Moore wrote:
> On Fri, Jan 15, 2021 at 9:43 PM Burn Alting <burn.alting at iinet.net.au>
wrote:
> > On Fri, 2021-01-15 at 19:35 -0500, Richard Guy Briggs wrote:
> >> Or we go back to userspace code looking for the EOE record? This
> >> doesn't help if they arrive out of order. Do we number the records in
> >> the kernel? N of M...
> >
> > I like the N of M concept but there would be a LOT of change - especially
> > for all the non-kernel event sources. The EOE would be the most
> > seamless, but at a cost. My preference is to allow the 2 second 'timer'
> > to be configurable.
>
> Agree with Burn, numbering the records coming up from the kernel is
> going to be a real nightmare, and not something to consider lightly.
> Especially when it sounds like we don't yet have a root cause for the
> issue.
A very long time ago, we had numbered records. But it was decided that
there's no real point in it and we'd rather just save disk space.
I know that the kernel does not serialize the events headed for user space.
But I'm curious how an event gets stuck and others can jump ahead while one
that's already inflight can get hung for 4 seconds before it's next record
goes out?
-Steve
More information about the Linux-audit
mailing list