saddr value in connect()
Steve Grubb
sgrubb at redhat.com
Tue May 6 17:55:25 UTC 2014
lists_todd at mac.com wrote:
> I’m writing my own parsing code to add Linux analysis to my Mac-based
> BSM audit analysis tools, so I might be asking some “out of left
> field” questions from time to time. I’ve been working my way through
> decoding things like the sockaddr hex blob.
Out of curiosity, why don't you use auparse to write your BSM
reformatter? I used it to reformat audit events into IDMEF events. Its
used for zos log aggregator. We will likely be needing to make changes
soon and it would insulate you from those kinds of issues.
-Steve
More information about the Linux-audit
mailing list