On Wednesday, March 07, 2012 11:50:26 AM Guillaume Destuynder wrote: > Below patch "fixes" it. The problem is that if you have a node name > included in the message, and that it's a long hostname, it's just not > copying a long enough string, and it will fail to parse the message > serial. When the serial is incorrect, auparse will fail to group them > and notify with AUPARSE_CB_EVENT_READY as a consequence. > > Now, I write this "fixes" it because if you have a really, really long > hostname, it will fail in the same manner.
Yes. It looks like we support names up to 255 bytes. So, the "fix" needs more to it. This also affects ausearch/report as well. Since this points directly to the problem, the real fix should be straight forward. > Or just do away with strtok and avoid duping strings. Sure, that's the long term plan. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
