From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auparse_interpret_field()
Date: Fri, 9 Nov 2007 12:56:41 -0500
Message-ID: <200711091256.42639.sgrubb@redhat.com>
References: <1194560760.10377.11.camel@klausk.br.ibm.com>
	<OF917B8105.758744C1-ON8525738E.005EDB78-8525738E.005F3034@br.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <OF917B8105.758744C1-ON8525738E.005EDB78-8525738E.005F3034@br.ibm.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: klausk@br.ibm.com
Cc: "Linux-audit@redhat.com" <Linux-audit@redhat.com>, linux-audit-bounces@redhat.com
List-Id: linux-audit@redhat.com

On Friday 09 November 2007 12:15:43 klausk@br.ibm.com wrote:
> Trying to debug this problem, I saw that it's happening because the rec=
ord
> 'machine' field in the auparse internal structure is set to '-1':

That would do it. Now...how did that happen? arch says its a 64 bit S390=20
machine.

> (gdb) p *r
> $17 =3D {
> =C2=A0 record =3D 0x80041510 "node=3Dkwuser3.edincott.ibm type=3DSYSCAL=
L
> msg=3Daudit(1194628042.317:58358): arch=3D80000016 syscall=3D5 success=3D=
yes
> exit=3D3 a0=3D800ed250 a1=3D241 a2=3D1b6 a3=3D0 items=3D1 ppid=3D14670 =
pid=3D14672 auid=3D0
> uid=3D0 gid=3D0 euid=3D0"..., type =3D 0, machine =3D -1, syscall =3D -=
1, a0 =3D 0, a1 =3D
> 0, nv =3D {head =3D 0x80039dd0, cur =3D 0x8002ad10,
> =C2=A0 =C2=A0 cnt =3D 27}, item =3D 0, list_idx =3D 0, line_number =3D =
19, next =3D 0x0}
>
> Any chance this might be happening because I don't have the complete ev=
ent

Nope, this gets pulled out of syscall records.

-Steve