From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audisp-prelude problems
Date: Wed, 3 Dec 2008 12:34:11 -0500
Message-ID: <200812031234.11638.sgrubb@redhat.com>
References: <49424.193.230.245.33.1228323199.squirrel@secure.myclar.ro>
	<1228324666.14768.131.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1228324666.14768.131.camel@homeserver>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 03 December 2008 12:17:46 LC Bruzenak wrote:
> MY favorite: ask Steve how to make the aggregating side flexible in
> this regard.

Why did I know this was coming?  :)


> We may need a BZ filed or a consensus about what is important on this list. I
> also would like a separation based on time to allow for an easier
> archive/restore capability

There is a cron script shipped but not installed that can do the right thing.


> ...and maybe that built in if possible! Separation based on node is also a
> potential "good thing".

The main poblem is that once its separated, ausearch/report don't know how to 
put it back together again. The current algorithm is a simple number index and 
ausearch, aureport, and even auparse knows how to find the files in the right 
order to make sense of it.

-Steve