On Tue, 2008-01-15 at 08:58 -0500, John Dennis wrote:
> James Antill wrote:
> >  The second iovec above can't just be MAX_AUDIT_MESSAGE_LENGTH, or if
> > there are two messages you'll read some/all of the next one(s). You
> > either need to read the header first and then use hdr.size, or separate
> > the IO from the parsing.
> >  Also you can't just check for readv() as above, you need to check that
> > you've read the amount of data you want, and if you didn't get it all
> > yet then loop. 
> 
> This is why we provide libraries to do things like this, it can be 
> tricky to get right. The feed() interface to auparse consumes arbitrary 

 auparse_feed() works off log files and the audispd "string" format. The
above code was using the auditd -> audispd format, so that API doesn't
work.

-- 
James Antill <james.antill@redhat.com>
Red Hat