audit log exit

Timothy R. Chavez chavezt at gmail.com
Wed Jan 5 20:27:11 UTC 2005


Hm,

Could it be to minimize risk of filling up the buffer and to also a
produce seperation of records?  This way userspace auditd can stitch
together a log record per name, based on the serial numbers?  A
one-to-many relationship so-to-speak.  This way you get one record
containing all the common information and X records containing all the
unique information instead of one super huge record that's immensely
difficult to parse or X records with a bunch of redundant information
in them.

-Tim

On Wed, 5 Jan 2005 08:27:55 -0500, Steve Grubb <sgrubb at redhat.com> wrote:
> Hi,
> 
> I was wondering why the code in audit_log_exit
> 
> http://lxr.linux.no/source/kernel/auditsc.c?v=2.6.8.1#L582
> 
> loops spitting out packets? Why isn't the audit information sent as 1 packet?
> 
> Just curious...
> -Steve Grubb
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
> 


-- 
- Timothy R. Chavez




More information about the Linux-audit mailing list