Audit Parsing Library Requirements
John D. Ramsdell
ramsdell at mitre.org
Mon Mar 13 20:46:52 UTC 2006
ramsdell at mitre.org (John D. Ramsdell) writes:
> Steve Grubb <sgrubb at redhat.com> writes:
>
> > Each record is denoted by a type which indicates what fields will
> > follow. Information in the fields are held by a name/value pair that
> > contains an '=' between them. Each field is separated from one
> > another by a space or comma.
>
> Please do not separate fields with commas.
Opps. I think I misunderstood the text. I thought it was defining
ausearch output, but it must be describing something about the data
source. I notice ausearch output always separates fields with a space
and not a comma.
John
More information about the Linux-audit
mailing list