From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: order of entries output from ausearch -i
Date: Wed, 13 Nov 2013 15:35:36 -0500
Message-ID: <5330451.157zfHkgAY@x2>
References: <528334D5.6030609@linaro.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <528334D5.6030609@linaro.org>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, November 13, 2013 05:14:13 PM AKASHI Takahiro wrote:
> Hi Steve
> 
> I followed your advise and verified my patch of AArch64 audit support
> by comparing the output from
>      # autrace /bin/ls
>      # ausearch -i -p XXX | grep SYSCALL
> with the output from
>      # strace /bin/ls
> 
> Here I found that the entries shown by "ausearch -i" are listed
> partially in the order of lifo (Last In First Out?).
> I don't think this behavior is "intuitive".
> (As you know, ausearch without -i generates fifo order of outputs.)
> Is there any good reason?

Yes, the syscall record is often the most important. Its better to scroll the 
auxiliary records off the screen leaving just the syscall record. For example, 
if you triggered a syscall event against   kill(-1, SIGTERM)  you could have a 
100 or more OBJ_PID records with that syscall.

-Steve