Audit Parsing Library Requirements
Loulwa Salem
loulwas at us.ibm.com
Mon Mar 13 15:28:56 UTC 2006
Steve Grubb wrote:
>>On the Side note issue, I am all for that, using a "space" when "_"
>>should be just makes for alot of unnecessary parsing exceptions to skip
>>those lonely words.
>
> That would actually slow down parsing since I would now have to do lots of
> exception processing. It has to be high performance and adding spaces just
> makes that harder to achieve.
exactly my point ... I have to deal with the same exceptions for our
parser. Best thing and what makes the most sense is to use "audit_uid"
for example instead of "audit uid" and so on for all those two word fields.
>>Also, many audit records have what seems to me to be random symbols (ex.
>> , : ( ' ). If we get rid of those .. that would be great.
>
> The are separators for different kinds of information. Don't worry about any
> of these details. auparse library should make it such that you don't worry
> about the underlying details.
Well .. our parser right now just skips those symbols when it encounters
them, but I wanted to bring it up to better understand what purpose they
serve. If they are necessary, then I guess they stay.
-loulwa
More information about the Linux-audit
mailing list