Audit Parsing Library Requirements
Loulwa Salem
loulwas at us.ibm.com
Mon Mar 13 14:57:40 UTC 2006
Klaus Weidner wrote:
> On Fri, Mar 10, 2006 at 01:42:00PM -0600, LC Bruzenak wrote:
>
>>That to me means that the field names are not unique; hence my question.
>
>
> There's two separate issues here:
>
> - audit records that contain the same field name twice for different
> purposes in a single record. I think this happens in a couple of places
> where uid or something like that is re-used. My preference would be to
> consider this a bug in the audit generation that needs fixing, instead
> of having the parser handle it. (As a side note, any remaining tag names
> containing spaces should also be fixed...)
>
On the Side note issue, I am all for that, using a "space" when "_"
should be just makes for alot of unnecessary parsing exceptions to skip
those lonely words.
Also, many audit records have what seems to me to be random symbols (ex.
, : ( ' ). If we get rid of those .. that would be great.
If that is something we want, I can create a patch to fix these
oddities. I believe those messages come from kernel.. right?
Are there any that come from audit userspace?
- Loulwa
More information about the Linux-audit
mailing list