From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: aureport summary
Date: Wed, 28 May 2008 19:42:50 -0400
Message-ID: <200805281942.51135.sgrubb@redhat.com>
References: <1212017265.6610.56.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1212017265.6610.56.camel@homeserver>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 28 May 2008 19:27:45 LC Bruzenak wrote:
> IIUC the last line - number of events - should be the sum of all the
> previous.
> However, adding up the events (barring OE) before that comes to 23791. I
> guess there are overlaps too - for example, the keys are possibly also
> in syscall events?
> Are some events missing on purpose?

Yes. Not every event falls into a category mentioned above. For example, on 
login you have USER_ACCT and CRED_ACQ, both of which are not picked off and 
highlighted. Just the USER_AUTH and USER_START get counted. There are others 
like that all over. 

So, the short answer is that there are no guarantees that they all add up and 
yes there can be overlaps.

-Steve