Log corruption

Hello, Still testing the new kernel. I've noticed that there is now log corruption since we added the netlink patches: type=KERNEL msg=audit(1115556451.615:8458544): item=0 name="/usr/libexec/dovecot/imap.#prelink#.QmQDxR" inode=1102979 dev=03:02 mode=040755 uid=0 gid=0 rdev=00:00:00d=0 gid=0 rde What's the gid in twice for? type=KERNEL msg=audit(1115556451.620:0): auid 4325 removed an audit rule ccess=yes exit=5 rule was supposed to be end of sentence type=USER msg=audit(1115557262.120:0): user pid=9262 uid=0 length=100 loginuid=4294967295 msg='PAM accounting: user=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron result=Success)' sgid=0 fsgid=0 type=LOGIN msg=audit(1115557262.249:0): login pid=9262 uid=0 old loginuid=4294967295 new loginuid=00 a1=80c2 a2=180 Why does the above have a1 & a2? type=USER msg=audit(1115557262.453:0): user pid=9262 uid=0 length=100 loginuid=0 msg='PAM session open: user=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron result=Success)'ccess)' sgid=0 f Ended with an f type=USER msg=audit(1115557262.784:0): user pid=9262 uid=0 length=100 loginuid=0 msg='PAM session close: user=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron result=Success)'gid=0 sgid=0 fsg cron should have been the end of message. Also, should audit_expand take a parameter to suggest how big to grow? For example, the buffer is inited to 1024, but it need to put a PATH_MAX sized filename into a message. In audit_vformat, if does 1 if staement and then one increment. So now the buffer is 2048. That's still too small for a 4096 byte filename. Either the call to expand should be in a while loop, or it should take a hint. -Steve