On Thursday 27 September 2007 12:50:15 John Dennis wrote: > I believe the consequences are this: > > 1) A real time audit parsing library must still support both event > closure mechanisms (note, parsing libraries are user space and > independent of kernel versions and hosts).
Yes. > 2) The library when it opens an audit stream must start with it's > closure mechanism set to "interval". If you design it so, yes. I'd rather just say its either timing out the connection or when the processed time in the file has elapsed beyond say 2 seconds... > 3) If AUDIT_EOE is seen the library sets it's closure mechanism to > "EOE". Closed events will then be emitted earlier than previously. Correct. This is all about speeding up the realtime analysis. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
