[PATCH] auparse.c events_are_equal() and event matching

[Guillaume Destuynder <gdestuynder@mozilla.com>]

Hi,

on our RHEL6 machines, with kernel 2.6.32, we noticed that sometimes an
audit message comes in but libaudit does not see it as the same event.

The milliseconds field of the timestamp differs (but the timestamp
seconds and event serial are identical).

The check to determine if 2 messages are part of the same event is done
by events_are_equal() in auparse/auparse.c (audit userspace library).

There is a comment that indicate that this is voluntary - however, I
could not find why. I suspect this is for searches over long periods of
time when the serial may roll over.

In case this was simply overlooked I'm attaching a patch that fixes it
for us. It keeps the timestamp check for the seconds, which works fine
and would still work with serial rolling over.

Again- its relatively rare in our logs that the timestamp's millisecond
field differs and we log very heavily - so it's not that easy to reproduce.

Thanks!

Guillaume

Index: trunk/auparse/auparse.c
===================================================================
--- trunk/auparse/auparse.c   (revision 1063)
+++ trunk/auparse/auparse.c   (working copy)
@@ -752,10 +752,10 @@

 static int inline events_are_equal(au_event_t *e1, au_event_t *e2)
 {
-       // Check time & serial first since its most likely way
-       // to spot 2 different events
-       if (!(e1->serial == e2->serial && e1->milli == e2->milli &&
-                                       e1->sec == e2->sec))
+       // Check serial and timestamp - but not milliseconds
+       // as, even if rare, these may not match for the same message due to
+       // kernel processing delays
+       if (!(e1->serial == e2->serial && e1->sec == e2->sec))
                return 0;
        // Hmm...same so far, check if both have a host, only a string
        // compare can tell if they are the same. Otherwise, if only one