From: Steve Grubb <sgrubb@redhat.com>
To: burn@swtf.dyndns.org
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] ausearch: Add checkpoint capability and have incomplete logs carry forward when processing multiple audit.log files
Date: Mon, 13 May 2013 17:50:48 -0400 [thread overview]
Message-ID: <1529875.hVlVHU8r5U@x2> (raw)
In-Reply-To: <1368478277.19077.219.camel@swtf.swtf.dyndns.org>
On Tuesday, May 14, 2013 06:51:17 AM Burn Alting wrote:
> If you hold off, I will separate these later today and re-submit.
I have applied the portion of the patch that fixes the second issue as commit
831. I extended it to also give the same treatment to aureport since its file
processing code is very similar to ausearch. I'll send the checkpoint patch
separately to make sure we are sync'ed.
-Steve
> > On Saturday, May 11, 2013 03:59:34 PM Burn Alting wrote:
> > > Attached is a patch for review.
> > >
> > > It is against revision 829 within http://svn.fedorahosted.org/svn/audit
> > >
> > > This patch
> > >
> > > - allows ausearch to checkpoint itself, in that, successive invocations
> > > will only display new events. This is enabled via the --checkpoint fn
> > > option. The mods to ausearch.8 describe the method of achieving this.
> > >
> > > - fixes a minor annoyance/bug in that, when ausearch processes events
> > > from multiple audit.log files, incomplete events are considered as
> > > complete (and hence printed) when ausearch encounters an EOF on input
> > > from all the log files being processed. Now, ausearch only flushes
> > > incomplete events on the last log file being processed.
> >
> > First of all, Thanks for submitting the patch. Its nice to have a
> > problem/feature request that has a solution attached. :-)
> >
> > But if at all possible, I'd really like to keep bug fixes and features
> > separated in patches. There are some distributions that would pick up the
> > bug fix, but hold the feature until next OS version. It also lets one
> > patch proceed to get applied should more discussion be required on the
> > other portion. And should one introduce a new problem, it will allow
> > bisecting to more closely pinpoint the patch that caused the problem.
> >
> > I'll try to separate these. I think, from reading the code, the portion
> > that addresses not flushing on EOF is simple and straightforward and can
> > be applied. The other piece may need some discussion - not sure without
> > having them separated and looking it over.
> >
> > Thanks,
> > -Steve
next prev parent reply other threads:[~2013-05-13 21:50 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-11 5:59 [PATCH] ausearch: Add checkpoint capability and have incomplete logs carry forward when processing multiple audit.log files Burn Alting
2013-05-13 13:43 ` Steve Grubb
2013-05-13 20:51 ` Burn Alting
2013-05-13 21:50 ` Steve Grubb [this message]
2013-05-13 21:53 ` Steve Grubb
2014-03-27 14:18 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1529875.hVlVHU8r5U@x2 \
--to=sgrubb@redhat.com \
--cc=burn@swtf.dyndns.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox