Audit Parsing Library Requirements
Steve Grubb
sgrubb at redhat.com
Fri Mar 10 23:13:25 UTC 2006
On Friday 10 March 2006 17:45, Debora Velarde wrote:
> 1. In this case would auparse_get_host(auparse_state_t *au) retrieve the
> hostname of this record?
It would retrieve the name of the machine that the audit message came from. In
this format, it would default to the rough equivalent of "uname -n". The
record format will change to accommodate a host field. This is needed so that
a data center can have a central logger that stores everything.
> 2. Will the user have to extract the values of 'user' and 'exe' from the
> entire value of 'msg' themselves?
No. look at the example code. You would do
if (auparse_find_field(au, "user") {
const char *str = auparse_get_field_str(au);
do-whatever(str);
}
> Or can the API return the values for those individually?
Yes.
-Steve
More information about the Linux-audit
mailing list