[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-audit
Subject:    Re: event loss with dispatcher?
From:       Steve Grubb <sgrubb () redhat ! com>
Date:       2007-11-09 14:23:24
Message-ID: 200711090923.24942.sgrubb () redhat ! com
[Download RAW message or body]

On Thursday 08 November 2007 21:20:42 John Dennis wrote:
> Steve Grubb wrote:
> > On Thursday 08 November 2007 16:17:52 klausk@br.ibm.com wrote:
> >> Any tips on how can I debug this further?
>
> but by any chance could the missing audit data be explained by out of order
> event ID's in the audit stream?

No chance. :)

Audispd does not link against the audit parsing library nor has a concept of a 
full event - it just distributes what it has. If the configuration option is 
to send string data to plugins, it does convert the type number to a string 
value by a lookup function in libaudit, but that's full extent of it doing 
anything to the event its passing along.

-Steve

[prev in list] [next in list] [prev in thread] [next in thread]