Re: auparse_feed callback on EOE record

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Tarun Ramesh <tramesh@acalvio.com>
Cc: linux-audit@redhat.com
Subject: Re: auparse_feed callback on EOE record
Date: Sat, 15 Jun 2019 14:28:05 -0400	[thread overview]
Message-ID: <8592444.xLyGizrlS5@x2> (raw)
In-Reply-To: <CAFQMB-UhU-4-uYVcasZn+E-GonpqqPO_7UZojSZ-7-2Eo81KZQ@mail.gmail.com>

Hello,

On Wednesday, June 12, 2019 3:05:40 AM EDT Tarun Ramesh wrote:
> Also I noticed that the EOE record is treated as its own event even though
> there were other records with the same audit serial number. I guess this is
> expected as after EOE there will be no more records for this event and if
> EOE was treated as a part of the previous event, then it will not be
> possible to tell when this event is complete.

This turns out to be a benign bug. Auparse has some heuristics to determine 
the end of an event as quickly as possible. It appears that it determined the 
event was complete before the EOE event arrived and thus the EOE event had no 
existing event to get added to. I fixed auparse to eat standalone EOE events 
since they are meaningless on their own. Thanks for reporting this issue.

-Steve

     prev parent reply	other threads:[~2019-06-15 18:28 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-11  6:56 auparse_feed callback on EOE record Tarun Ramesh
2019-06-11 16:19 ` Steve Grubb
2019-06-12  7:05   ` Tarun Ramesh
2019-06-15 18:28     ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8592444.xLyGizrlS5@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=tramesh@acalvio.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox