diff --git a/audit-445353-1.patch b/audit-445353-1.patch
new file mode 100644
index 0000000..45e1145
--- /dev/null
+++ b/audit-445353-1.patch
@@ -0,0 +1,126 @@
+---
+ docs/ausearch.8        |    3 +++
+ src/ausearch-options.c |   10 +++++++++-
+ src/ausearch-options.h |    1 +
+ src/ausearch.c         |    5 ++---
+ 4 files changed, 15 insertions(+), 4 deletions(-)
+
+Index: trunk/docs/ausearch.8
+===================================================================
+--- trunk.orig/docs/ausearch.8
++++ trunk/docs/ausearch.8
+@@ -57,6 +57,9 @@ Stop after emitting the first event that
+ .BR \-k ,\  \-\-key \ \fIkey-string\fP
+ Search for an event based on the given \fIkey string\fP.
+ .TP
++.BR \-l ,\  \-\-line-buffered
++Flush output on every line. Most useful when stdout is connected to a pipe and the default block buffering strategy is undesirable. May impose a performance penalty.
++.TP
+ .BR \-m ,\  \-\-message \ \fImessage-type\fP\ |\ \fIcomma-sep-message-type-list\fP
+ Search for an event matching the given \fImessage type\fP. You may also enter a \fIcomma separated list of message types\fP. There is an \fBALL\fP message type that doesn't exist in the actual logs. It allows you to get all messages in the system. The list of valid messages types is long. The program will display the list whenever no message type is passed with this parameter. The message type can be either text or numeric. If you enter a list, there can be only commas and no spaces separating the list.
+ .TP
+Index: trunk/src/ausearch-options.c
+===================================================================
+--- trunk.orig/src/ausearch-options.c
++++ trunk/src/ausearch-options.c
+@@ -51,5 +51,6 @@ int event_ua = 0, event_ga = 0, event_se
+ int just_one = 0;
+ int event_session_id = -1;
++int line_buffered = 0;
+ const char *event_key = NULL;
+ const char *event_node = NULL;
+ const char *event_filename = NULL;
+@@ -72,7 +73,7 @@ enum { S_EVENT, S_COMM, S_FILENAME, S_AL
+ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
+ S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
+ S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
+-S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION };
++S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_LINEBUFFERED };
+ 
+ static struct nv_pair optiontab[] = {
+ 	{ S_EVENT, "-a" },
+@@ -101,6 +103,8 @@ static struct nv_pair optiontab[] = {
+ 	{ S_JUST_ONE, "--just-one" },
+ 	{ S_KEY, "-k" },
+ 	{ S_KEY, "--key" },
++	{ S_LINEBUFFERED, "-l" },
++	{ S_LINEBUFFERED, "--line-buffered" },
+ 	{ S_MESSAGE_TYPE, "-m" },
+ 	{ S_MESSAGE_TYPE, "--message" },
+ 	{ S_NODE, "-n" },
+@@ -173,6 +177,7 @@ static void usage(void)
+ 	"\t--input-logs\t\t\tUse the logs even if stdin is a pipe\n"
+ 	"\t--just-one\t\t\tEmit just one event\n"
+ 	"\t-k,--key  <key string>\t\tsearch based on key field\n"
++	"\t-l, --line-buffered\t\tFlush output on every line\n"
+ 	"\t-m,--message  <Message type>\tsearch based on message type\n"
+ 	"\t-n,--node  <Node name>\t\tsearch based on machine's name\n"
+ 	"\t-o,--object  <SE Linux Object context> search based on context of object\n"
+@@ -1003,6 +1008,9 @@ int check_params(int count, char *vars[]
+ 				c++;
+ 			}
+ 			break;
++		case S_LINEBUFFERED:
++			line_buffered = 1;
++			break;
+ 		default:
+ 			fprintf(stderr, "%s is an unsupported option\n", 
+ 				vars[c]);
+Index: trunk/src/ausearch-options.h
+===================================================================
+--- trunk.orig/src/ausearch-options.h
++++ trunk/src/ausearch-options.h
+@@ -36,6 +36,7 @@ extern const char *event_subject;
+ extern const char *event_object;
+ extern int event_se;
+ extern int just_one;
++extern int line_buffered;
+ extern pid_t event_ppid;
+ extern int event_session_id;
+ 
+Index: trunk/src/ausearch.c
+===================================================================
+
+--- audit-1.7.7/src/ausearch.c.orig	2008-11-27 02:09:24.438158000 +0100
++++ audit-1.7.7/src/ausearch.c	2008-11-27 02:12:45.548843000 +0100
+@@ -43,7 +43,6 @@
+ 
+ static FILE *log_fd = NULL;
+ static int found = 0;
+-static int pipe_mode = 0;
+ static int process_logs(void);
+ static int process_log_fd(void);
+ static int process_stdin(void);
+@@ -58,11 +57,12 @@
+ extern int match(llist *l);
+ extern void output_record(llist *l);
+ 
+-static int input_is_pipe(void)
++static int is_pipe(int fd)
+ {
+ 	struct stat st;
++	int pipe_mode = 0;
+ 
+-	if (fstat(0, &st) == 0) {
++	if (fstat(fd, &st) == 0) {
+ 		if (S_ISFIFO(st.st_mode)) 
+ 			pipe_mode = 1;
+ 	}
+@@ -92,7 +92,7 @@
+ 		rc = process_file(user_file);
+ 	else if (force_logs)
+ 		rc = process_logs();
+-	else if (input_is_pipe())
++	else if (is_pipe(0))
+ 		rc = process_stdin();
+ 	else
+ 		rc = process_logs();
+@@ -190,6 +190,8 @@
+ 				list_clear(&entries);
+ 				break;
+ 			}
++			if (line_buffered)
++ 				fflush(stdout);
+ 		}
+ 		list_clear(&entries);
+ 	} while (ret == 0);
diff --git a/audit-445353-2.patch b/audit-445353-2.patch
new file mode 100644
index 0000000..76c4411
--- /dev/null
+++ b/audit-445353-2.patch
@@ -0,0 +1,88 @@
+---
+ ausearch.c |   31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+Index: trunk/src/ausearch.c
+===================================================================
+--- audit-1.7.7/src/ausearch.c.orig	2008-11-26 22:39:25.736364000 +0100
++++ audit-1.7.7/src/ausearch.c	2008-11-27 00:21:32.801448000 +0100
+@@ -34,6 +34,7 @@
+ #include <sys/resource.h>
+ #include <sys/stat.h>
+ #include <locale.h>
++#include <signal.h>
+ #include "libaudit.h"
+ #include "auditd-config.h"
+ #include "ausearch-options.h"
+@@ -43,6 +44,8 @@
+ 
+ static FILE *log_fd = NULL;
+ static int found = 0;
++static int input_is_pipe = 0;
++static int timeout_interval = 5;	/* timeout in seconds */
+ static int process_logs(void);
+ static int process_log_fd(void);
+ static int process_stdin(void);
+@@ -200,9 +203,19 @@
+ 	return 0;
+ }
+ 
++static void alarm_handler(int signal)
++{
++	/* will interrupt current syscall */
++}
++
+ static int process_stdin(void)
+ {
+ 	log_fd = stdin;
++	input_is_pipe=1;
++
++	if (signal(SIGALRM, alarm_handler) == SIG_ERR ||
++	    siginterrupt(SIGALRM, 1) == -1)
++		return -1;
+ 
+ 	return process_log_fd();
+ }
+@@ -236,6 +249,7 @@
+ 	char *rc;
+ 	char *buff = NULL;
+ 	int first_time = 1;
++	int timer_running = 0;
+ 
+ 	while (1) {
+ 		if (saved_buff) {
+@@ -248,11 +262,20 @@
+ 				if (!buff)
+ 					return -1;
+ 			}
+-			// FIXME: In pipe mode, if there is a waiting buffer
+-			// and 5 seconds has elapsed, go ahead and process
+-			// the buffer - nothings coming that's related.
++
++			if (input_is_pipe && !first_time) {	
++				timer_running = 1;
++				alarm(timeout_interval);
++			}
++
+ 			rc = fgets_unlocked(buff, MAX_AUDIT_MESSAGE_LENGTH,
+ 					log_fd);
++
++			if (timer_running) {
++				/* timer may have fired but thats ok */
++				timer_running = 0;
++				alarm(0);
++			}
+ 		}
+ 		if (rc) {
+ 			lnode n;
+@@ -282,7 +305,9 @@
+ 			}
+ 		} else {
+ 			free(buff);
+-			if (feof(log_fd))
++			if (ferror(log_fd) && errno == EINTR)
++				return 0;
++			else if (feof(log_fd))
+ 				return 1;
+ 			else 
+ 				return -1;
diff --git a/audit-445353.patch b/audit-445353.patch
deleted file mode 100644
index 33d2b7b..0000000
--- a/audit-445353.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: tonyj@suse.de
-Date: Tue Nov 18 18:08:32 CET 2008
-References: 445353
-Upstream: no
-
-Flush stdout if pipe.  Prevents output being queued in pipebuf if input fails
-to signal EOF.
-
---- audit-1.2.9/src/ausearch.c.old	2008-11-17 15:55:47.000000000 -0800
-+++ audit-1.2.9/src/ausearch.c	2008-11-17 16:06:54.000000000 -0800
-@@ -58,11 +58,11 @@
- extern int match(llist *l);
- extern void output_record(llist *l);
- 
--static int input_is_pipe(void)
-+static int is_pipe(int fd)
- {
- 	struct stat st;
- 
--	if (fstat(0, &st) == 0) {
-+	if (fstat(fd, &st) == 0) {
- 		if (S_ISFIFO(st.st_mode)) 
- 			pipe_mode = 1;
- 	}
-@@ -92,7 +92,7 @@
- 		rc = process_file(user_file);
- 	else if (force_logs)
- 		rc = process_logs();
--	else if (input_is_pipe())
-+	else if (is_pipe(0))
- 		rc = process_stdin();
- 	else
- 		rc = process_logs();
-@@ -175,6 +175,7 @@
- {
- 	llist entries; // entries in a record
- 	int ret;
-+	int flush = is_pipe(1);
- 
- 	/* For each record in file */
- 	list_create(&entries);
-@@ -185,6 +186,8 @@
- 		}
- 		if (match(&entries)) {
- 			output_record(&entries);
-+			if (flush) 
-+				fflush(stdout);
- 			found = 1;
- 			if (just_one) {
- 				list_clear(&entries);
diff --git a/audit-secondary.spec b/audit-secondary.spec
index 15875b9..109c21a 100644
--- a/audit-secondary.spec
+++ b/audit-secondary.spec
@@ -26,7 +26,7 @@ Summary:        Python Bindings for libaudit
 License:        GPL v2 or later
 Group:          System/Monitoring
 Version:        1.7.7
-Release:        3
+Release:        4
 Url:            http://people.redhat.com/sgrubb/audit/
 Source0:        audit-%{version}.tar.bz2
 Patch0:         audit-no_sca.patch
diff --git a/audit.changes b/audit.changes
index c283ffa..4da0d3b 100644
--- a/audit.changes
+++ b/audit.changes
@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Fri Dec  5 02:30:03 CET 2008 - tonyj@suse.de
+
+- Revision to previous fix for bnc#445353. 
+  These should go into SLES11 RC1.
+  1) Add --line-buffered option to limit when stdout is flushed (performance).
+  2) Testing found a related bug where (if input is a pipe) the last logical 
+  record would permanently be queued waiting for a subsequent record indicating
+  end of the previous.  This subsequent record may never arrive.  Timer is
+  now run causing this record to be flushed if no new record arrives within
+  timeout.  This fix is upstream also.
+
 -------------------------------------------------------------------
 Fri Nov 21 08:45:03 CET 2008 - tonyj@suse.de
 
diff --git a/audit.spec b/audit.spec
index a25b885..c0adfb4 100644
--- a/audit.spec
+++ b/audit.spec
@@ -22,7 +22,7 @@ Name:           audit
 BuildRequires:  gcc-c++ tcpd-devel
 Summary:        User Space Tools for 2.6 Kernel Auditing
 Version:        1.7.7
-Release:        3
+Release:        4
 License:        GPL v2 or later
 Group:          System/Monitoring
 Url:            http://people.redhat.com/sgrubb/audit/
@@ -33,7 +33,8 @@ Patch0:         audit-no_sca.patch
 Patch1:         audit-no_python.patch
 Patch2:         audit-no_plugins.patch
 Patch3:         audit-no-gss.patch
-Patch4:         audit-445353.patch
+Patch4:         audit-445353-1.patch
+Patch5:         audit-445353-2.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Requires:       %{name}-libs = %{version}-%{release}
 PreReq:         %insserv_prereq %fillup_prereq
@@ -96,6 +97,7 @@ Authors:
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 %build
 autoreconf -fi
@@ -224,6 +226,15 @@ fi
 %attr(755,root,root) /usr/bin/ausyscall
 
 %changelog
+* Fri Dec 05 2008 tonyj@suse.de
+- Revision to previous fix for bnc#445353.
+  These should go into SLES11 RC1.
+  1) Add --line-buffered option to limit when stdout is flushed (performance).
+  2) Testing found a related bug where (if input is a pipe) the last logical
+  record would permanently be queued waiting for a subsequent record indicating
+  end of the previous.  This subsequent record may never arrive.  Timer is
+  now run causing this record to be flushed if no new record arrives within
+  timeout.  This fix is upstream also.
 * Fri Nov 21 2008 tonyj@suse.de
 - Force ausearch to flush stdout if pipe (bnc#445353)
 * Thu Oct 30 2008 olh@suse.de