Re: [RFC][PATCH] audit: log join and part events to the read-only multicast log socket
On Tue, 07 Oct 2014 18:06:51 -0400
Paul Moore <pmoore(a)redhat.com> wrote:
On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote:
> I also thought of moving audit_log_task() from auditsc.c to audit.c
> and using that. For that matter, both audit_log_task() and
> audit_log_task_info() could use audit_log_session_info(), but they
> are in slightly different order of keywords which will upset
> sgrubb's parser.
A bit of an aside from the patch, but in my opinion the parser should
be made a bit more robust so that it can handle fields in any
particular order. I agree that having fields in a "canonical
ordering" is helpful, both for tools and people, but the tools
shouldn't require it in my opinion.
Steve, why exactly can't the userspace parser handle fields in any
order? How difficult would it be to fix?
The issue is that people that really use audit, really get vast
quanities of logs. The tools expect things in a specific order so that
it can pick things out of events as quickly as possible. IOW, it
knows when it can discard the line because its grabbed everything it
needs. A casual audit user would never see this. I'm really optimizing
for the people whose use ausearch and it takes 10 minutes to run.
-Steve