On Friday, January 08, 2016 10:05:13 AM Burn Alting wrote: > Steve, > > Can I suggest you modify src/ausearch-lol.c:check_events() to add in the > AUDIT_PROCTITLE check (will reduce memory overhead as events will be > flushed faster).
OK. Good suggestion. The SVN repo has been updated. > Also can we ask Richard put a comment into the appropriate location in > the kernel code to indicate the link between ausearch/aurport/auparse > depending on AUDIT_PROCTITLE being the last record of an event if > present. I'll let them answer. That said one of the things I want to add in the next development cycle is the ability to get rid of proctitle records if the admin wants to. They waste a lot of space. But if they are missing then we have the same performance as we did before I added this patch. -Steve > On Thu, 2016-01-07 at 17:31 -0500, Steve Grubb wrote: > > On Wednesday, January 06, 2016 09:30:36 PM Burn Alting wrote: > > > #3 - modify the standard auparse() test code. > > > > And this patch is applied. Thanks, Burn, for all the patches! This will > > make analytical programs much more accurate since interlaced records > > won't split an event up any more. > > > > If anyone wants to try out the new audit code from svn please send any > > feedback asap. (Same with other bug reports.) I am aiming for a release in > > the next 2 days. I just have to finish working on Richard's audit by > > process name patch and then its time to release a new package. > > > > -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
