Re: event loss with dispatcher?
On Thursday 08 November 2007 21:20:42 John Dennis wrote:
Steve Grubb wrote:
> On Thursday 08 November 2007 16:17:52 klausk(a)br.ibm.com wrote:
>> Any tips on how can I debug this further?
but by any chance could the missing audit data be explained by out of order
event ID's in the audit stream?
No chance. :)
Audispd does not link against the audit parsing library nor has a concept of a
full event - it just distributes what it has. If the configuration option is
to send string data to plugins, it does convert the type number to a string
value by a lookup function in libaudit, but that's full extent of it doing
anything to the event its passing along.
-Steve