Re: Patch to auparse to handle out of order messages 3 of 3
Steve,
Can I suggest you modify src/ausearch-lol.c:check_events() to add in the
AUDIT_PROCTITLE check (will reduce memory overhead as events will be
flushed faster).
Also can we ask Richard put a comment into the appropriate location in
the kernel code to indicate the link between ausearch/aurport/auparse
depending on AUDIT_PROCTITLE being the last record of an event if
present.
Regards
On Thu, 2016-01-07 at 17:31 -0500, Steve Grubb wrote:
On Wednesday, January 06, 2016 09:30:36 PM Burn Alting wrote:
> #3 - modify the standard auparse() test code.
And this patch is applied. Thanks, Burn, for all the patches! This will make
analytical programs much more accurate since interlaced records won't split an
event up any more.
If anyone wants to try out the new audit code from svn please send any
feedback asap. (Same with other bug reports.) I am aiming for a release in the
next 2 days. I just have to finish working on Richard's audit by process name
patch and then its time to release a new package.
-Steve