From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve <m6x@ornl.gov>
Subject: Dispatching of events
Date: Wed, 14 Jun 2006 08:41:45 -0400
Message-ID: <44900409.4040008@ornl.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k5ECfuja005579
	for <linux-audit@redhat.com>; Wed, 14 Jun 2006 08:41:56 -0400
Received: from emroute2.ornl.gov (emroute2.ornl.gov [160.91.86.17])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k5ECfsC5029843
	for <linux-audit@redhat.com>; Wed, 14 Jun 2006 08:41:54 -0400
Received: from emroute2.ornl.gov (localhost [127.0.0.1])
	by emroute2.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J0U00J3POLOB7@emroute2.ornl.gov> for
	linux-audit@redhat.com; Wed, 14 Jun 2006 08:41:48 -0400 (EDT)
Received: from ORNLEXCHANGE.ornl.gov (ornlexchange2.ornl.gov [160.91.1.22])
	by emroute2.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J0U00K2ZOLNQ4@emroute2.ornl.gov> for
	linux-audit@redhat.com; Wed, 14 Jun 2006 08:41:48 -0400 (EDT)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I have been testing the dispatch system by having auditd monitor when a 
certain file is opened, I have always seen 3 messages per open event (a 
1300, 1307, followed by a 1302).  I would assume other syscall rule 
violations may trigger fewer or more messages.

So, is there a way to tell when all messages for a particular event have 
been dispatched?  I am combining information from each of an event's 
messages to create an entry in a queue (containing event structures that 
I created).  I am trying to determine when I can process the combined 
event information (when there are no more messages) so it can be removed 
from the queue.

Also, is it safe to assume a type 1300 message is always the first 
message pertaining to a rule violation?

Thanks,
Steve