difficulty with TYPE
James Antill
james.antill at redhat.com
Tue Jan 15 14:20:31 UTC 2008
On Tue, 2008-01-15 at 08:58 -0500, John Dennis wrote:
> James Antill wrote:
> > The second iovec above can't just be MAX_AUDIT_MESSAGE_LENGTH, or if
> > there are two messages you'll read some/all of the next one(s). You
> > either need to read the header first and then use hdr.size, or separate
> > the IO from the parsing.
> > Also you can't just check for readv() as above, you need to check that
> > you've read the amount of data you want, and if you didn't get it all
> > yet then loop.
>
> This is why we provide libraries to do things like this, it can be
> tricky to get right. The feed() interface to auparse consumes arbitrary
auparse_feed() works off log files and the audispd "string" format. The
above code was using the auditd -> audispd format, so that API doesn't
work.
--
James Antill <james.antill at redhat.com>
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080115/879192a8/attachment.sig>
More information about the Linux-audit
mailing list