On Thursday 27 September 2007 12:50:15 John Dennis wrote:
I believe the consequences are this:
1) A real time audit parsing library must still support both event
closure mechanisms (note, parsing libraries are user space and
independent of kernel versions and hosts).
Yes.
2) The library when it opens an audit stream must start with
it's
closure mechanism set to "interval".
If you design it so, yes. I'd rather just say its either timing out the
connection or when the processed time in the file has elapsed beyond say 2
seconds...
3) If AUDIT_EOE is seen the library sets it's closure mechanism
to
"EOE". Closed events will then be emitted earlier than previously.
Correct. This is all about speeding up the realtime analysis.
-Steve