All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Dispatching of events
Date: Wed, 14 Jun 2006 08:52:10 -0400	[thread overview]
Message-ID: <200606140852.10171.sgrubb@redhat.com> (raw)
In-Reply-To: <44900409.4040008@ornl.gov>

On Wednesday 14 June 2006 08:41, Steve wrote:
> So, is there a way to tell when all messages for a particular event have
> been dispatched? 

This was recently discussed on the list. All the records for the same event 
come out one after another. There is a chance that some other event may sneak 
in during the dump. But you can pretty well assume that if there are no more 
records emitted with the same serial number/time stamp within 2-3 seconds, 
you have a complete event.

> Also, is it safe to assume a type 1300 message is always the first
> message pertaining to a rule violation?

Maybe not. I'd not make that assumption just to be safe. Collect the full 
event's information, then look at the message types.

-Steve

      reply	other threads:[~2006-06-14 12:51 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-06-14 12:41 Dispatching of events Steve
2006-06-14 12:52 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200606140852.10171.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.