Re: Weird issues in 2.6.5

Hi, I had some odd behavior to report. I am running ubuntu 12.04. Using the default auditd and audispd-plugins packages for my release, I was able to get logs sent to local syslog and to a remote auditd server (same basic configuration), but the entries were being buffered somewhere (I think on the client side), and if the server died reconnections didn't happen. So, I wanted a more recent version, so I compiled audit-userspace from the github src mirror,* trunk@1341.

When I did, I got some weird results. For example, I expected got something like this in my audit.log: node=host.example.com type=CWD msg=audit(1468363871.644:3279856): cwd="/etc/audisp" And that was as expected. In syslog, I expected to get: Jul 13 08:34:53 host audispd: node=host.loc.example.com type=CWD msg=audit(1468363871.644:3279856): cwd="/etc/audisp" But instead, I got: Jul 13 08:34:53 host audispd: type=CWD msg=node=host.loc.example.com type=CWD msg=audit(1468363871.644 As you can see, the whole thing was prepended with "type=CWD msg=", and the line was truncated. Similarly, on the remote host, I got the same thing: type=CWD msg=node=host.loc.example.com type=CWD msg=audit(1468363871.644 I noticed that the most recent version of the src for ubuntu was 2.4.5, so I grabbed the src tarball from packages.ubuntu and built it, and now everything looks fine. The exact same line I see in my audit.log shows up in the remote audit.log, with no buffering. When I restart the remote auditd server or client, it reconnects. syslog has same entry (prepended with the timestamp etc.). Everything seems happy now. *For some reason I had to define `CC_FOR_BUILD=gcc` in my shell when I ran `make` from the svn/git src. I did not require this when building 2.4.5 from the ubuntu src.