Audit Parsing Library Requirements
Steve Grubb
sgrubb at redhat.com
Fri Mar 10 19:50:26 UTC 2006
On Friday 10 March 2006 14:42, LC Bruzenak wrote:
> I didn't understand how in the first case you had 1 named field and in
> the next there was more than one occurrence of that field.
It would be stored internally for reference. Think strtok.
> Seems to me that (unless I misunderstand) you may in the first case think
> you know the field name and stop processing that record ... but the second
> one implies there are other fields by the same name.
Sort of...there are multiple fields with the same name in various records that
make up an event. The idea is that you can pass the name one time and then
its stored internally until another call replaces it.
> That to me means that the field names are not unique; hence my question.
This is true. An example is uid. I think there are some places where the
kernel inserts uid and userspace inserts uid to the same event.
-Steve
More information about the Linux-audit
mailing list