Re: Patch to auparse to handle out of order messages 3 of 3

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: burn@swtf.dyndns.org
Cc: linux-audit@redhat.com
Subject: Re: Patch to auparse to handle out of order messages 3 of 3
Date: Thu, 07 Jan 2016 18:44:24 -0500	[thread overview]
Message-ID: <9882122.aVvjtOsnp8@x2> (raw)
In-Reply-To: <1452207913.27159.4.camel@swtf.swtf.dyndns.org>

On Friday, January 08, 2016 10:05:13 AM Burn Alting wrote:
> Steve,
> 
> Can I suggest you modify src/ausearch-lol.c:check_events() to add in the
> AUDIT_PROCTITLE check (will reduce memory overhead as events will be
> flushed faster).

OK. Good suggestion. The SVN repo has been updated.


> Also can we ask Richard put a comment into the appropriate location in
> the kernel code to indicate the link between ausearch/aurport/auparse
> depending on AUDIT_PROCTITLE being the last record of an event if
> present.

I'll let them answer.

That said one of the things I want to add in the next development cycle is the 
ability to get rid of proctitle records if the admin wants to. They waste a 
lot of space. But if they are missing then we have the same performance as we 
did before I added this patch.

-Steve


> On Thu, 2016-01-07 at 17:31 -0500, Steve Grubb wrote:
> > On Wednesday, January 06, 2016 09:30:36 PM Burn Alting wrote:
> > > #3 - modify the standard auparse() test code.
> > 
> > And this patch is applied. Thanks, Burn, for all the patches! This will
> > make analytical programs much more accurate since interlaced records
> > won't split an event up any more.
> > 
> > If anyone wants to try out the new audit code from svn please send any
> > feedback asap. (Same with other bug reports.) I am aiming for a release in
> > the next 2 days. I just have to finish working on Richard's audit by
> > process name patch and then its time to release a new package.
> > 
> > -Steve

next prev parent reply	other threads:[~2016-01-07 23:44 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-06 10:30 Patch to auparse to handle out of order messages 3 of 3 Burn Alting
2016-01-07 22:31 ` Steve Grubb
2016-01-07 23:05   ` Burn Alting
2016-01-07 23:44     ` Steve Grubb [this message]
2016-01-08  3:06       ` Paul Moore
2016-01-08  7:27         ` Burn Alting
2016-01-08 23:22           ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9882122.aVvjtOsnp8@x2 \
    --to=sgrubb@redhat.com \
    --cc=burn@swtf.dyndns.org \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.