[PATCH] ausearch: Add checkpoint capability and have incomplete logs carry forward when processing multiple audit.log files

[Steve Grubb]

Hello,

On Saturday, May 11, 2013 03:59:34 PM Burn Alting wrote:
> Attached is a patch for review.
> 
> It is against revision 829 within http://svn.fedorahosted.org/svn/audit
> 
> This patch
> 
> - allows ausearch to checkpoint itself, in that, successive invocations
> will only display new events. This is enabled via the --checkpoint fn
> option. The mods to ausearch.8 describe the method of achieving this.
> 
> - fixes a minor annoyance/bug in that, when ausearch processes events
> from multiple audit.log files, incomplete events are considered as
> complete (and hence printed) when ausearch encounters an EOF on input
> from all the log files being processed. Now, ausearch only flushes
> incomplete events on the last log file being processed.

First of all, Thanks for submitting the patch. Its nice to have a 
problem/feature request that has a solution attached. :-)

But if at all possible, I'd really like to keep bug fixes and features 
separated in patches. There are some distributions that would pick up the bug 
fix, but hold the feature until next OS version. It also lets one patch proceed 
to get applied should more discussion be required on the other portion. And 
should one introduce a new problem, it will allow bisecting to more closely 
pinpoint the patch that caused the problem.

I'll try to separate these. I think, from reading the code, the portion that 
addresses not flushing on EOF is simple and straightforward and can be applied. 
The other piece may need some discussion - not sure without having them 
separated and looking it over.

Thanks,
-Steve