Patch to auparse to handle out of order messages 3 of 3
Steve Grubb
sgrubb at redhat.com
Thu Jan 7 23:44:24 UTC 2016
On Friday, January 08, 2016 10:05:13 AM Burn Alting wrote:
> Steve,
>
> Can I suggest you modify src/ausearch-lol.c:check_events() to add in the
> AUDIT_PROCTITLE check (will reduce memory overhead as events will be
> flushed faster).
OK. Good suggestion. The SVN repo has been updated.
> Also can we ask Richard put a comment into the appropriate location in
> the kernel code to indicate the link between ausearch/aurport/auparse
> depending on AUDIT_PROCTITLE being the last record of an event if
> present.
I'll let them answer.
That said one of the things I want to add in the next development cycle is the
ability to get rid of proctitle records if the admin wants to. They waste a
lot of space. But if they are missing then we have the same performance as we
did before I added this patch.
-Steve
> On Thu, 2016-01-07 at 17:31 -0500, Steve Grubb wrote:
> > On Wednesday, January 06, 2016 09:30:36 PM Burn Alting wrote:
> > > #3 - modify the standard auparse() test code.
> >
> > And this patch is applied. Thanks, Burn, for all the patches! This will
> > make analytical programs much more accurate since interlaced records
> > won't split an event up any more.
> >
> > If anyone wants to try out the new audit code from svn please send any
> > feedback asap. (Same with other bug reports.) I am aiming for a release in
> > the next 2 days. I just have to finish working on Richard's audit by
> > process name patch and then its time to release a new package.
> >
> > -Steve
More information about the Linux-audit
mailing list