Questions about the standard (Google Summer of Code Project)
Steve Grubb
sgrubb at redhat.com
Thu Jul 14 16:38:04 UTC 2016
On Thursday, July 14, 2016 6:10:00 PM EDT Mateusz Piotrowski wrote:
> Hello,
>
> Thank you for your reply! It is absolutely amazing. It clarified a lot.
>
> >> b) Why do some records are separated by a comma and a
> >>
> >> whitespace? Example:
> >> type=DAEMON_START msg=audit(1363713609.192:5426): auditd
> >> start, ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64
> >> auid=500 pid=4979 subj=unconfined_u:system_r:auditd_t:s0
> >> res=success
> >
> > A long time ago the records were meant to be both human readable (don't
> > laugh) and machine consumable. Over time these have been converted
> > name=value pairs. Even the one you mention above has been fixed.
>
> I am not sure if I understood; does it mean that: `auditd start, ver=2.2` is
> outdated and deprecated? I’m confused because Debian did produced a log
> file with this element.
Every time that I find something that doe not conform to name=value, I change
it or submit a patch. The current output is:
type=DAEMON_START msg=audit(1468495169.149:9305): op=start ver=2.6.5
format=enriched kernel=4.6.3-300.fc24.x86_64 auid=4294967295 pid=987
subj=system_u:system_r:auditd_t:s0 res=success
AUID="unset"
Audit 2.2 is from March 2012. That is pretty old now.
Also notice that this event is in the enriched format. Auparse also hides that
fact so that you don't need to worry about it. If you write your own parser,
you'll need to handle both formats.
-Steve
More information about the Linux-audit
mailing list