[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit 0.6 release



On Friday 07 January 2005 09:44, Browder, Tom wrote:
> Notice that I can get the file name, the system call, and the exit
> status of unlink (but I suspect the print format for the exit code is %u
> instead of %d, thus the apparent large number probably from a negative 
> exit code). 

Yes. We've been talking about that. Also translating the syscall from a number 
to its proper text name.

auditsc.c in audit_log_exit function
         if (context->return_valid)
                 audit_log_format(ab, " exit=%u", context->return_code);

That should be %d.

> But do there have to be two messages?  

I asked that question Wednesday. Why does log exit loop spitting out little 
messages instead of 1. I think we decided to leave it as is and query tools 
need to handle multiple records.

> (can I assume the messages always come in matching, adjacent pairs?).

Yes

> To sum up, I believe I can write a perl parser to do what I need now
> (assuming the exit code is correct), even though the message traffic is
> so high. 

The success option is what will help you lower the number of records the 
kernel sends to user space. I suppose we need to figure out its correct usage 
or if its broken.

-Steve Grubb


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]