Dispatching of events

Wednesday, 14 June 2006

I have been testing the dispatch system by having auditd monitor when a 
certain file is opened, I have always seen 3 messages per open event (a 
1300, 1307, followed by a 1302).  I would assume other syscall rule 
violations may trigger fewer or more messages.

So, is there a way to tell when all messages for a particular event have 
been dispatched?  I am combining information from each of an event's 
messages to create an entry in a queue (containing event structures that 
I created).  I am trying to determine when I can process the combined 
event information (when there are no more messages) so it can be removed 
from the queue.

Also, is it safe to assume a type 1300 message is always the first 
message pertaining to a rule violation?

Thanks,
Steve

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Dispatching of events