From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Patch to auparse to handle out of order messages 3 of 3
Date: Thu, 07 Jan 2016 18:44:24 -0500
Message-ID: <9882122.aVvjtOsnp8@x2>
References: <1452076236.26850.89.camel@swtf.swtf.dyndns.org>
	<5860216.amsKJMebuE@x2>
	<1452207913.27159.4.camel@swtf.swtf.dyndns.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1452207913.27159.4.camel@swtf.swtf.dyndns.org>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: burn@swtf.dyndns.org
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, January 08, 2016 10:05:13 AM Burn Alting wrote:
> Steve,
> 
> Can I suggest you modify src/ausearch-lol.c:check_events() to add in the
> AUDIT_PROCTITLE check (will reduce memory overhead as events will be
> flushed faster).

OK. Good suggestion. The SVN repo has been updated.


> Also can we ask Richard put a comment into the appropriate location in
> the kernel code to indicate the link between ausearch/aurport/auparse
> depending on AUDIT_PROCTITLE being the last record of an event if
> present.

I'll let them answer.

That said one of the things I want to add in the next development cycle is the 
ability to get rid of proctitle records if the admin wants to. They waste a 
lot of space. But if they are missing then we have the same performance as we 
did before I added this patch.

-Steve


> On Thu, 2016-01-07 at 17:31 -0500, Steve Grubb wrote:
> > On Wednesday, January 06, 2016 09:30:36 PM Burn Alting wrote:
> > > #3 - modify the standard auparse() test code.
> > 
> > And this patch is applied. Thanks, Burn, for all the patches! This will
> > make analytical programs much more accurate since interlaced records
> > won't split an event up any more.
> > 
> > If anyone wants to try out the new audit code from svn please send any
> > feedback asap. (Same with other bug reports.) I am aiming for a release in
> > the next 2 days. I just have to finish working on Richard's audit by
> > process name patch and then its time to release a new package.
> > 
> > -Steve