Steve, Can I suggest you modify src/ausearch-lol.c:check_events() to add in the AUDIT_PROCTITLE check (will reduce memory overhead as events will be flushed faster). Also can we ask Richard put a comment into the appropriate location in the kernel code to indicate the link between ausearch/aurport/auparse depending on AUDIT_PROCTITLE being the last record of an event if present.
Regards On Thu, 2016-01-07 at 17:31 -0500, Steve Grubb wrote: > On Wednesday, January 06, 2016 09:30:36 PM Burn Alting wrote: > > #3 - modify the standard auparse() test code. > > And this patch is applied. Thanks, Burn, for all the patches! This will make > analytical programs much more accurate since interlaced records won't split > an > event up any more. > > If anyone wants to try out the new audit code from svn please send any > feedback asap. (Same with other bug reports.) I am aiming for a release in > the > next 2 days. I just have to finish working on Richard's audit by process name > patch and then its time to release a new package. > > -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
