Oh, another thing which would (potentially) get harder is aggregation.
Since we have aggregated audit data sent from one audisp-remote to the
event loop of the aggregating auditd, both systems (kernels) would need
to be on the same data format page.
Otherwise, the formats would be interwoven in the same on-disk log.
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com