From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: comparing record ids in auparse
Date: Wed, 5 Sep 2007 13:17:33 -0400
Message-ID: <200709051317.34281.sgrubb@redhat.com>
References: <1189008706.15928.12.camel@junko.usersys.redhat.com>
	<200709051223.59958.sgrubb@redhat.com>
	<1189010228.15928.19.camel@junko.usersys.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1189010228.15928.19.camel@junko.usersys.redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: John Dennis <jdennis@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 05 September 2007 12:37:08 John Dennis wrote:
> On Wed, 2007-09-05 at 12:23 -0400, Steve Grubb wrote:
> > On Wednesday 05 September 2007 12:11:46 John Dennis wrote:
> > > Should two different events from two different hosts be comparable?
> >
> > In a consolidated log, they are not equal. I suppose that should be fixed
> > in the next release.
>
> Right, but the way the cmp operator works is if it's not equal it's
> either less than or greater than, 

Yeah, and I want to leave it that way. Its intent is to provide a way to 
compare a data type that is not straight forward.

> neither of which is meaningful as a result if they are not from the same
> host, right? 

What you seek is a yes/no answer. Are they from the same host? Cause based on 
that answer, you may or may not want to compare timestamps.

> At the moment all I can think of is that auparse_timestamp_compare() will
> have to be deprecated and replaced with a different function, unless you
> have a better idea. Suggestions? 

It could be incumbent on the programmer to know what's being compared. :)

I think this is a common database programming issue. (auparse is modelled 
after database functions.) Suppose you have a POS database. You have sales 
information from many stores. If you want to total the sales from a 
particular store, you have to select that store within a time range. If you 
wanted all sales for a day, you just check timestamps. 

IOW, I think the programmer should know what they are trying to do and take 
nodes into account. We can easily write a function that takes 2 events and 
decides if they are from the same node. That would give you the yes/no 
answer.

-Steve