From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: audit-viewer error
Date: Wed, 13 Aug 2008 14:10:45 -0500
Message-ID: <1218654645.7022.147.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m7DJNskV019466
	for <linux-audit@redhat.com>; Wed, 13 Aug 2008 15:23:56 -0400
Received: from mail.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com
	[24.242.137.197])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m7DJAsdM024139
	for <linux-audit@redhat.com>; Wed, 13 Aug 2008 15:10:54 -0400
Received: from [24.242.137.194] (helo=[192.168.30.40])
	by mail.magitekltd.com with esmtpsa
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63)
	(envelope-from <lenny@magitekltd.com>) id 1KTLiO-0008BZ-NH
	for linux-audit@redhat.com; Wed, 13 Aug 2008 14:09:00 -0500
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

My audit-viewer (audit-viewer-0.3-1) crashes at startup with the
following:

Traceback (most recent call last):
  File "/usr/share/audit-viewer/main.py", line 71, in <module>
    if w.setup_initial_window(args):
  File "/usr/share/audit-viewer/main_window.py", line 158, in
setup_initial_window
    self.new_list_tab([])
  File "/usr/share/audit-viewer/main_window.py", line 176, in
new_list_tab
    tab = ListTab(filters, self)
  File "/usr/share/audit-viewer/list_tab.py", line 161, in __init__
    self.refresh()
  File "/usr/share/audit-viewer/list_tab.py", line 195, in refresh
    event_sequence = self.__refresh_get_event_sequence()
  File "/usr/share/audit-viewer/list_tab.py", line 483, in
__refresh_get_event_sequence
    want_other_fields, True)
  File "/usr/share/audit-viewer/main_window.py", line 265, in
read_events
    keep_raw_records)
  File "/usr/share/audit-viewer/event_source.py", line 135, in
read_events
    e = events[(ts.serial, ts.sec, ts.milli)]
AttributeError: 'NoneType' object has no attribute 'serial'

I looked back through all the event IDs from today (I assume
ts.serial==auid) and didn't see any missing yet. 

I did see some ordering inconsistency (probably normal) - from "ausearch
-ts today -i" (note the second event set - the time and auid are not
consecutive as with the others). Surrounding events concatenated for
brevity:
----
type=PATH msg=audit(08/13/2008 10:35:11.661:2406) : item=1...
type=PATH msg=audit(08/13/2008 10:35:11.661:2406) : item=0...
type=CWD msg=audit(08/13/2008 10:35:11.661:2406) :  cwd=/ 
type=SYSCALL msg=audit(08/13/2008 10:35:11.661:2406) : ...
----
type=SYSCALL msg=audit(08/13/2008 09:47:47.411:1015) : arch=x86_64
syscall=read success=no exit=-4(Interrupted system call) a0=3
a1=7f0807344010 a2=21000 a3=3597f67a58 items=0 ppid=1 pid=5239
auid=lenny uid=lenny gid=lenny euid=lenny suid=lenny fsuid=lenny
egid=lenny sgid=lenny fsgid=lenny tty=(none) ses=2 comm=gvfs-fuse-daemo
exe=/usr/libexec/gvfs-fuse-daemon
subj=user_u:user_r:user_t:s0-s15:c0.c1023 key=(null) 
----
type=PATH msg=audit(08/13/2008 10:35:11.663:2407) : item=0...
type=CWD msg=audit(08/13/2008 10:35:11.663:2407) :  cwd=/ 
type=SYSCALL msg=audit(08/13/2008 10:35:11.663:2407) : arch=x86_64...
----

Any thoughts as to what I can do? 
I guess I can selectively move audit.log files out of the directory
until I can see which one has data causing the problem...

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com