[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Audit Parsing Library Requirements

Klaus Weidner wrote:
On Fri, Mar 10, 2006 at 01:42:00PM -0600, LC Bruzenak wrote:

That to me means that the field names are not unique; hence my question.

There's two separate issues here:

- audit records that contain the same field name twice for different
  purposes in a single record. I think this happens in a couple of places
  where uid or something like that is re-used. My preference would be to
  consider this a bug in the audit generation that needs fixing, instead
  of having the parser handle it. (As a side note, any remaining tag names
  containing spaces should also be fixed...)

On the Side note issue, I am all for that, using a "space" when "_" should be just makes for alot of unnecessary parsing exceptions to skip those lonely words. Also, many audit records have what seems to me to be random symbols (ex. , : ( ' ). If we get rid of those .. that would be great.

If that is something we want, I can create a patch to fix these oddities. I believe those messages come from kernel.. right?
Are there any that come from audit userspace?

- Loulwa

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]