From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Auditd 1.0.15 in RHEL4 U4
Date: Wed, 14 Feb 2007 10:55:09 -0500
Message-ID: <200702141055.09495.sgrubb@redhat.com>
References: <1171288460.4760.10.camel@localhost.localdomain>
	<200702122129.49009.sgrubb@redhat.com>
	<1171464310.4061.2.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1171464310.4061.2.camel@localhost.localdomain>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Matthew Booth <mbooth@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 14 February 2007 09:45:10 Matthew Booth wrote:
> On Mon, 2007-02-12 at 21:29 -0500, Steve Grubb wrote:
> > > Also, I had a quick flick through the dispatcher example. I note that
> > > it's shipping binary logs.
> >
> > Hmm. I don't recall any binary logs in examples...are you sure?
>
> I was going by this document:
> http://people.redhat.com/sgrubb/audit/audit-rt-events.txt
>
> Is that not the interface you will be presenting?

That is the interface I am presenting. There are a couple binary elements that 
are part of the header, but the event data itself follows the header and is 
just one big string exactly like as it came from the kernel. That could 
change if the protocol version number changes from 0. But it should remain 
constant across a shipping product's lifetime.

-Steve