Hello, On Wednesday, June 12, 2019 3:05:40 AM EDT Tarun Ramesh wrote: > Also I noticed that the EOE record is treated as its own event even though > there were other records with the same audit serial number. I guess this is > expected as after EOE there will be no more records for this event and if > EOE was treated as a part of the previous event, then it will not be > possible to tell when this event is complete.
This turns out to be a benign bug. Auparse has some heuristics to determine the end of an event as quickly as possible. It appears that it determined the event was complete before the EOE event arrived and thus the EOE event had no existing event to get added to. I fixed auparse to eat standalone EOE events since they are meaningless on their own. Thanks for reporting this issue. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
