From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] Add End of Event record
Date: Thu, 27 Sep 2007 13:09:36 -0400
Message-ID: <200709271309.37522.sgrubb@redhat.com>
References: <200709270916.43149.sgrubb@redhat.com>
	<1190911815.15596.43.camel@finch.boston.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1190911815.15596.43.camel@finch.boston.redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: John Dennis <jdennis@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Thursday 27 September 2007 12:50:15 John Dennis wrote:
> I believe the consequences are this:
>
> 1) A real time audit parsing library must still support both event
> closure mechanisms (note, parsing libraries are user space and
> independent of kernel versions and hosts).

Yes.

> 2) The library when it opens an audit stream must start with it's
> closure mechanism set to "interval".

If you design it so, yes. I'd rather just say its either timing out the 
connection or when the processed time in the file has elapsed beyond say 2 
seconds...

> 3) If AUDIT_EOE is seen the library sets it's closure mechanism to
> "EOE". Closed events will then be emitted earlier than previously.

Correct. This is all about speeding up the realtime analysis.

-Steve