diff -urp audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c

--- audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c	2008-04-07 16:57:12.000000000 -0400

+++ audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c	2008-04-18 14:23:06.000000000 -0400

@@ -228,7 +228,8 @@ int main(int argc, char *argv[])

 		return -1;

 	}

-	syslog(LOG_INFO, "audisp-prelude is ready for events");

+	if (mode != M_TEST)

+		syslog(LOG_INFO, "audisp-prelude is ready for events");

 	do {

 		/* Load configuration */

 		if (hup) {

@@ -248,9 +249,10 @@ int main(int argc, char *argv[])

 	/* Flush any accumulated events from queue */

 	auparse_flush_feed(au);

-	syslog(LOG_INFO, "audisp-prelude is exiting on stop request");

 	if (mode == M_TEST)

 		puts("audisp-prelude is exiting on stop request");

+	else

+		syslog(LOG_INFO, "audisp-prelude is exiting on stop request");

 	/* Cleanup subsystems */

 	if (client) 

@@ -609,7 +611,7 @@ static int get_login_exe_info(auparse_st

 		base = basename(exe);

 		ret = prelude_string_new(&name_str);

 		PRELUDE_FAIL_CHECK;

-		ret = prelude_string_set_ref(name_str, base);

+		ret = prelude_string_set_dup(name_str, base);

 		PRELUDE_FAIL_CHECK;

 		idmef_process_set_name(process, name_str);

 	}

@@ -708,7 +710,7 @@ static int get_comm_info(auparse_state_t

 			char *base = basename(exe);

 			ret = prelude_string_new(&name_str);

 			PRELUDE_FAIL_CHECK;

-			ret = prelude_string_set_ref(name_str, base);

+			ret = prelude_string_set_dup(name_str, base);

 			idmef_process_set_name(process, name_str);

 		}

 	}

@@ -760,7 +762,7 @@ static int get_file_info(auparse_state_t

 		ret = prelude_string_new(&str);

 		PRELUDE_FAIL_CHECK;

-		ret = prelude_string_set_ref(str, path);

+		ret = prelude_string_set_dup(str, path);

 		PRELUDE_FAIL_CHECK;

 		if (path[0] == '/') {

 			char *base;

@@ -772,7 +774,7 @@ static int get_file_info(auparse_state_t

 				base = "/";

 			ret = prelude_string_new(&name_str);

 			PRELUDE_FAIL_CHECK;

-			ret = prelude_string_set_ref(name_str, base);

+			ret = prelude_string_set_dup(name_str, base);

 			PRELUDE_FAIL_CHECK;

 			idmef_file_set_name(file, name_str);

 		} else

@@ -1811,7 +1813,7 @@ static void handle_event(auparse_state_t

 		rc = 0;

 		switch (type) {

 			case AUDIT_AVC:

-			case AUDIT_USER_AVC:

+//			case AUDIT_USER_AVC:

 				if (config.avcs == E_NO)

 					break;

 				if (config.avcs_act != A_IDMEF)

diff -urp audit-1.7.2.orig/auparse/auparse.c audit-1.7.2/auparse/auparse.c

--- audit-1.7.2.orig/auparse/auparse.c	2008-04-08 12:37:09.000000000 -0400

+++ audit-1.7.2/auparse/auparse.c	2008-04-18 14:10:36.000000000 -0400

@@ -1130,6 +1130,7 @@ int auparse_first_record(auparse_state_t

 			return rc;

 	}

 	aup_list_first(&au->le);

+	aup_list_first_field(&au->le);

 	return 1;

 }

@@ -1236,7 +1237,22 @@ const char *auparse_find_field(auparse_s

 {

 	free(au->find_field);

 	au->find_field = strdup(name);

-	return auparse_find_field_next(au);

+

+	if (au->le.e.sec) {

+		const char *cur_name;

+		rnode *r;

+

+		// look at current record before moving

+		r = aup_list_get_cur(&au->le);

+		if (r == NULL)

+			return NULL;

+		cur_name = nvlist_get_cur_name(&r->nv);

+		if (cur_name && strcmp(cur_name, name) == 0)

+			return nvlist_get_cur_val(&r->nv);

+

+		return auparse_find_field_next(au);

+	}

+	return NULL;

 }

 /* Increment 1 location and then scan for next field */

@@ -1258,6 +1274,8 @@ const char *auparse_find_field_next(aupa

 			if (nvlist_find_name(&r->nv, au->find_field))

 				return nvlist_get_cur_val(&r->nv);

 			r = aup_list_next(&au->le);

+			if (r)

+				aup_list_first_field(&au->le);

 		}

 	}

 	return NULL;