[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Changes to Audit record format



John D. Ramsdell wrote:
	All two word fields should have an "_" between the words
rather than a space (since we use the space as a delimeter which makes
the most sense, we end up with lonely words that need to be ignored
currently). Using "_" would make life easier instead.


I'm confused.  Are you talking about ausearch output, or about the
names that will be returned by the parsing libraries functions?  If
it's the ausearch output, records of type SOCKADDR fail to meet your
parsing requirements.  It's as if colon becomes the name/value pair
separator.


Currently we have our own parser that reads records directly from /var/log/audit/audit.log and that's what I am referring to. I am talking about the way the audit record is printed to the audit log not the ausearch output.

thanks,
- Loulwa


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]