Hi Steve,<br>Just to confirm this:<br>If i am taking my data stream through the af_unix socket built-in plugin then will i get the audit_eoe event? Do i have to setup some special rule to get this event or is it there by default in the af_unix plugin stream?<br>
Thanks for the prompt reply.<br>Basim<br><br><div class="gmail_quote">On Mon, Aug 16, 2010 at 5:46 PM, Steve Grubb <span dir="ltr">&lt;<a href="mailto:sgrubb@redhat.com">sgrubb@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Monday, August 16, 2010 05:38:52 pm Basim Baig wrote:<br>
&gt; It would be really helpful to know if the number of events generated per<br>
&gt; system call change or do they stay the same.<br>
<br>
</div>As your data suggests, there can be several different records per event<br>
depending on what its trying to tell you. They all end with an AUDIT_EOE<br>
record. Auditd strips this off to save disk space, but live events have it.<br>
<font color="#888888"><br>
-Steve<br>
</font></blockquote></div><br>