Dispatching of events

Dispatching of events

[Steve]

I have been testing the dispatch system by having auditd monitor when a 
certain file is opened, I have always seen 3 messages per open event (a 
1300, 1307, followed by a 1302).  I would assume other syscall rule 
violations may trigger fewer or more messages.

So, is there a way to tell when all messages for a particular event have 
been dispatched?  I am combining information from each of an event's 
messages to create an entry in a queue (containing event structures that 
I created).  I am trying to determine when I can process the combined 
event information (when there are no more messages) so it can be removed 
from the queue.

Also, is it safe to assume a type 1300 message is always the first 
message pertaining to a rule violation?

Thanks,
Steve

Re: Dispatching of events

[Steve Grubb]

On Wednesday 14 June 2006 08:41, Steve wrote:
> So, is there a way to tell when all messages for a particular event have
> been dispatched? 

This was recently discussed on the list. All the records for the same event 
come out one after another. There is a chance that some other event may sneak 
in during the dump. But you can pretty well assume that if there are no more 
records emitted with the same serial number/time stamp within 2-3 seconds, 
you have a complete event.

> Also, is it safe to assume a type 1300 message is always the first
> message pertaining to a rule violation?

Maybe not. I'd not make that assumption just to be safe. Collect the full 
event's information, then look at the message types.

-Steve