Thanks Steve, I will check it out and re-fit patches over the next few days and submit individual patches for review.
Rgds Burn On Mon, 2013-05-06 at 18:04 -0400, Steve Grubb wrote: > On Monday, May 06, 2013 09:53:40 AM Steve Grubb wrote: > > > - a new option will print out more parser friendly output for > > > interpreted mode > > > > I am in the midst of coalescing the interpreters into one. I know this > > sounds crazy, but ausearch and auparse both had independent copies of > > nearly the same material. The problem was they both keep data formatted > > completely different and that made combining them a challenge. I think > > auparse has a faster lookup algorithm but it allocates memory for the > > translation. So, I hope they cancel each other out. > > > > My point in mentioning this is that I am probably in the middle of changing > > code you hooked into. The work is checked in but still in progress. The > > first step was to create a common API for 3 functions used in translating > > fields. (This is checked in.) The next step is to link ausearch against > > auparse with the ausearch functions commented out. The final step is to > > remove all the unneeded code from ausearch. (I should be doing this today.) > > All changes are checked into svn for this interpreter switch over. So far my > testing shows that although ausearch malloc/frees about 6 times as much as it > used to, the lookup algorithms in auparse are superior and we actually have > about a 20% speed improvement in the outputting of interpreted results. > Searching is not any faster. > > At this point, the code should be stable in this area if you want to retest > and start sending patches. > > Thanks, > -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
