On Friday, April 18, 2014 12:08:24 PM Burn Alting wrote: > Please find attached a patch against 2.3.6 that, when checkpointing, > notices if we identify an audit.log file to use (ie the dev and inode > match) but we find a complete event whose time is > 2 seconds past the > checkpoint time. This should not happen, as the checkpoint event should > be found BEFORE any other complete event for the checkpoint event was > the last displayed complete event in the file. When this occurs, a > message is printed to stderr and ausearch will terminate with an exit > code of 12. > > This typically occurs if there is a lot of processing or a long time > occurs between two invocations of ausearch --checkpoint. Basically, an > inode is reused in one of the new audit.log files.
Thanks for the patch. Applied as commit 950 with a couple formatting changes. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
