Re: Audit change - Steve Grubb

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Nowakowski Media <johnnybanks604@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit change
Date: Sun, 20 Jan 2019 10:59:27 +0100	[thread overview]
Message-ID: <20190120105927.300256f3@ivy-bridge> (raw)
In-Reply-To: <CAMjGq6kpKgWA9yjmwMU9NM-MA0m_+UFvw8s6G5L=re3a2UD4gw@mail.gmail.com>

On Sat, 19 Jan 2019 18:40:14 -0500
Nowakowski Media <johnnybanks604@gmail.com> wrote:
> If the audit messages would shift up 1 from the first_event you could
> track the performance of the audit daemon. Having 2 messages typed
> with the same number is confusing.

I am not sure I understand what you asking about. The audit system has
used the same numbering technique for at least 14 years. Maybe you are
referring to this:

audit(1520664214.224:39242)

In this time stamp we have 3 fields. To the left of the period is
seconds since 1970. Just to the right is millisecond within the seconds
since 1970. The last field after the colon is the serial number. The
serial number is used to group all records that are part of the same
event. There can be multiple events within the same millisecond so this
serial number also serves to differentiate other events withing the
same millisecond. At last, to make things more complicated, there is
nothing in the kernel that serializes the events. So, the stream that
comes out of the kernel and even written to disk can have 2 or more
events with interlaced records. The userspace utilities have to be
aware of this and reassemble the events correctly.

Hopefully I have given some background about how the time stamp is
used. Does this help? If not, could you explain your comment in a
little more detail?

Thanks,
-Steve

     prev parent reply	other threads:[~2019-01-20  9:59 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-19 23:40 Audit change Nowakowski Media
2019-01-20  9:59 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190120105927.300256f3@ivy-bridge \
    --to=sgrubb@redhat.com \
    --cc=johnnybanks604@gmail.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox