From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: check_second_connection stopping my recovery?
Date: Wed, 18 Nov 2009 17:01:10 -0600
Message-ID: <cecd18b00911181501mae505efr931c29c8f840e63a@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com
	[10.5.110.11])
	by int-mx05.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id nAIN1R6J004965
	for <linux-audit@redhat.com>; Wed, 18 Nov 2009 18:01:27 -0500
Received: from mail-yw0-f195.google.com (mail-yw0-f195.google.com
	[209.85.211.195])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nAIN1Ar5022100
	for <linux-audit@redhat.com>; Wed, 18 Nov 2009 18:01:11 -0500
Received: by ywh33 with SMTP id 33so1514494ywh.23
	for <linux-audit@redhat.com>; Wed, 18 Nov 2009 15:01:10 -0800 (PST)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

It appears to me as though the new connection code in auditd-listen.c
is stopping my recovery actions.
My aggregator is getting a constant stream of:
op=dup addr=192.168.10.10:43546 port=43546 res=no

I was going back through the events on disk, scooping them up and
sending them to the aggregation machine as Steve suggested a long
while back (using an ausearch then piping the results to
audisp-remote).
So it appears to me that this is now prohibited.  Was this intentional?

Thx,
LCB.

-- 
LC (Lenny) Bruzenak