Re: EOE events in auparse output

Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: EOE events in auparse output
Date: Mon, 05 Dec 2016 10:27:47 -0500	[thread overview]
Message-ID: <1583364.QtL6vz97jr@x2> (raw)
In-Reply-To: <6ac1558f-fe8b-3e6a-decf-cdb31c180505@redhat.com>

On Monday, December 5, 2016 3:00:39 PM EST Nikolai Kondrashov wrote:
> I was playing with auditd and aushape on Fedora 24 and found some strange
> entries in my log. There was a separate *event* produced by auparse
> containing a single EOE record. These events had the same serial number as
> the directly preceding events, which were exclusively containing SYSCALL
> records.
> 
> Those EOE records didn't appear in the audit.log file.
> 
> Is this a bug? Is this normal?

The record is not created by auparse. The kernel sends this whenever there is 
a multipart event. This record is stripped before putting the event to disk to 
save disk space. We can get along with this because it can be deduced later 
and running reports from disk is not realtime. On the realtime interface it is 
passed along so that recognizing that an event is complete can occur 
immediately upon receipt. Realtime event processing kind of needs this 
guarantee.

-Steve

next prev parent reply	other threads:[~2016-12-05 15:27 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-05 13:00 EOE events in auparse output Nikolai Kondrashov
2016-12-05 15:27 ` Steve Grubb [this message]
2016-12-05 15:34   ` Nikolai Kondrashov
2016-12-05 15:54     ` Steve Grubb
2016-12-05 16:49       ` Nikolai Kondrashov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1583364.QtL6vz97jr@x2 \
    --to=sgrubb@redhat.com \
    --cc=Nikolai.Kondrashov@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox