[PATCH] ausearch: Add checkpoint capability and have incomplete logs carry forward when processing multiple audit.log files

[Burn Alting]

Steve,

If you hold off, I will separate these later today and re-submit.

Rgds
On Mon, 2013-05-13 at 09:43 -0400, Steve Grubb wrote:
> Hello,
> 
> On Saturday, May 11, 2013 03:59:34 PM Burn Alting wrote:
> > Attached is a patch for review.
> > 
> > It is against revision 829 within http://svn.fedorahosted.org/svn/audit
> > 
> > This patch
> > 
> > - allows ausearch to checkpoint itself, in that, successive invocations
> > will only display new events. This is enabled via the --checkpoint fn
> > option. The mods to ausearch.8 describe the method of achieving this.
> > 
> > - fixes a minor annoyance/bug in that, when ausearch processes events
> > from multiple audit.log files, incomplete events are considered as
> > complete (and hence printed) when ausearch encounters an EOF on input
> > from all the log files being processed. Now, ausearch only flushes
> > incomplete events on the last log file being processed.
> 
> First of all, Thanks for submitting the patch. Its nice to have a 
> problem/feature request that has a solution attached. :-)
> 
> But if at all possible, I'd really like to keep bug fixes and features 
> separated in patches. There are some distributions that would pick up the bug 
> fix, but hold the feature until next OS version. It also lets one patch proceed 
> to get applied should more discussion be required on the other portion. And 
> should one introduce a new problem, it will allow bisecting to more closely 
> pinpoint the patch that caused the problem.
> 
> I'll try to separate these. I think, from reading the code, the portion that 
> addresses not flushing on EOF is simple and straightforward and can be applied. 
> The other piece may need some discussion - not sure without having them 
> separated and looking it over.
> 
> Thanks,
> -Steve