Re: [PATCH] Add End of Event record

On Thursday 27 September 2007 13:18:35 Todd, Charles wrote: What do you need to know? Plugins read from stdin, they must obey SIGHUP and SIGTERM, they must keep stdin empty. They can be sent either string data or a pseudo binary format straight from the audit daemon (I do not recommend that for anyone). The string format follows the guidelines laid out for the audit parser library. That is defined in the audit parsing library specs (although it needs updating for the node field). As for EOE, I had planned to filter that out when writing to disk as it just wastes disk space. The real issue is that for realtime reactive systems, every second counts. This lets them start to take actions faster. For reporting, all events are on disk and the EOE can be deduced. The auditd version is already recorded. uname -r output might be nice to add. I don't see why glibc version is needed. It has nothing to do with audit rules or events (the kernel does, though). Local system time is already recorded in every record. This is unnecessary since the audit daemon takes the event and writes it straight to disk. The audit format should not be changing from name=value in the foreseeable future. The nice thing is that if anyone wants to do something new, you can write a plugin to disassemble the native event and re-write it into any format you want. names and groups are the one thing that needs to be thought about. libaudit has a full table hostnames are another thing to think about, but shouldn't be as troublesome as users and groups. -Steve