On Monday, June 16, 2014 05:20:10 PM Eric Paris wrote: > My guess is that userspace just throws away record where it doesn't find > the auid= and ses= and you kernel happens to live in those couple of > months were it had "new-ses" and "new-auid"
Was this patch sent to stable? The audit code tries to handle the old way and the new way: https://fedorahosted.org/audit/browser/trunk/tools/aulast/aulast.c#L175 But I thought the patch went to stable to prevent breaking user space. This is only one issue. I am seeing duplicate and missing events between systemd, gdm, and lightdm. > I'd call this a pretty clear userspace bug where it just completely > drops records, even if it can't parse them... That theory can be tested by using: ausearch --start this-week --debug > /dev/null Anything that gets tossed out will be reported to stderr. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit