Audit Parsing Library Requirements
Klaus Weidner
klaus at atsec.com
Fri Mar 10 19:53:59 UTC 2006
On Fri, Mar 10, 2006 at 01:42:00PM -0600, LC Bruzenak wrote:
> That to me means that the field names are not unique; hence my question.
There's two separate issues here:
- audit records that contain the same field name twice for different
purposes in a single record. I think this happens in a couple of places
where uid or something like that is re-used. My preference would be to
consider this a bug in the audit generation that needs fixing, instead
of having the parser handle it. (As a side note, any remaining tag names
containing spaces should also be fixed...)
- multiple related audit records for a single event that contain several
instances of the same tag, for example a syscall such as rename() that
generates multiple path tags for source and destination. I'm not sure
how those get handled, is that what this is intended for?
Does the auparse library handle merging of related records for single
events, or is that left for higher level code?
-Klaus
More information about the Linux-audit
mailing list