Fix support of kernel < 3.0

CHANGELOG.md

@@ -12,7 +12,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - Fix change in behaviour that causes error when unmarshaling `AuditStatus` with a short buffer. [#110](https://github.com/elastic/go-libaudit/pull/110)
 - Reduce heap allocations when parsing and enriching auditd events. [#111](https://github.com/elastic/go-libaudit/pull/111)
 - Relax short buffer requirement further to allow for kernels that do not support the backlog wait feature. [#113](https://github.com/elastic/go-libaudit/pull/113)
-
+- Fix minimum `AuditStatus` length so that library can support kernels from 2.6.32. [#119](https://github.com/elastic/go-libaudit/pull/119)
 ### Removed
 
 ### Deprecated

audit.go

@@ -606,12 +606,13 @@ type AuditStatus struct {
 const (
 	sizeofAuditStatus = int(unsafe.Sizeof(AuditStatus{}))
 
-	// MinSizeofAuditStatus is the minimum usable message size that
-	// is acceptable for unmarshaling from the wire format. Messages
-	// this size do not report features after the FeatureBitmap field.
+	// MinSizeofAuditStatus is the minimum usable message size for
+	// the earliest 2.6.32 kernel supported by Go lang.
+	// https://elixir.bootlin.com/linux/v2.6.32/source/include/linux/audit.h#L317
+	// Messages this size do not report features after the Backlog field.
 	// Users should consult the feature bitmap to determine which
 	// features are valid.
-	MinSizeofAuditStatus = int(unsafe.Offsetof(AuditStatus{}.FeatureBitmap) + unsafe.Sizeof(AuditStatus{}.FeatureBitmap))
+	MinSizeofAuditStatus = int(unsafe.Offsetof(AuditStatus{}.Backlog) + unsafe.Sizeof(AuditStatus{}.Backlog))
 )
 
 func (s AuditStatus) toWireFormat() []byte {