On Tue, 07 Oct 2014 18:06:51 -0400 Paul Moore <pmo...@redhat.com> wrote:
> On Tuesday, October 07, 2014 03:39:51 PM Richard Guy Briggs wrote: > > I also thought of moving audit_log_task() from auditsc.c to audit.c > > and using that. For that matter, both audit_log_task() and > > audit_log_task_info() could use audit_log_session_info(), but they > > are in slightly different order of keywords which will upset > > sgrubb's parser. > > A bit of an aside from the patch, but in my opinion the parser should > be made a bit more robust so that it can handle fields in any > particular order. I agree that having fields in a "canonical > ordering" is helpful, both for tools and people, but the tools > shouldn't require it in my opinion. > > Steve, why exactly can't the userspace parser handle fields in any > order? How difficult would it be to fix? The issue is that people that really use audit, really get vast quanities of logs. The tools expect things in a specific order so that it can pick things out of events as quickly as possible. IOW, it knows when it can discard the line because its grabbed everything it needs. A casual audit user would never see this. I'm really optimizing for the people whose use ausearch and it takes 10 minutes to run. -Steve -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
