[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Dispatching of events



I have been testing the dispatch system by having auditd monitor when a certain file is opened, I have always seen 3 messages per open event (a 1300, 1307, followed by a 1302). I would assume other syscall rule violations may trigger fewer or more messages.

So, is there a way to tell when all messages for a particular event have been dispatched? I am combining information from each of an event's messages to create an entry in a queue (containing event structures that I created). I am trying to determine when I can process the combined event information (when there are no more messages) so it can be removed from the queue.

Also, is it safe to assume a type 1300 message is always the first message pertaining to a rule violation?

Thanks,
Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]