Audit Parsing Library Requirements
LC Bruzenak
lenny at bruzenak.com
Fri Mar 10 19:42:00 UTC 2006
On Fri, 2006-03-10 at 14:32 -0500, Steve Grubb wrote:
> On Friday 10 March 2006 14:25, LC Bruzenak wrote:
> > If not a bother would you mind listing the fields in the record or point
> > me to a reference of what they are on your next spec?
>
> We'll make that later in the project. I would need to spend some time going
> over every single message. Amazingly, you can write a parser without knowing
> what all is there since it all follows a well defined pattern.
>
> -Steve
OK; that's true. The name/value pairs can be tweaked later.
I just got lost on the following IF descriptions:
...
const char *auparse_find_field(const char *name) - find a given field in
a event or record. Name is the left hand side of the name/value pair.
Returns pointer to the value as ascii text.
const char *auparse_find_field_next(void ) - find the next occurance of
that field in the same record. Returns pointer to the value as ascii
text.
...
I didn't understand how in the first case you had 1 named field and in
the next there was more than one occurrence of that field. Seems to me
that (unless I misunderstand) you may in the first case think you know
the field name and stop processing that record ... but the second one
implies there are other fields by the same name.
That to me means that the field names are not unique; hence my question.
LCB.
--
LC Bruzenak
lenny at bruzenak.com
More information about the Linux-audit
mailing list