Changes to Audit record format
Loulwa Salem
loulwas at us.ibm.com
Wed Mar 15 19:45:14 UTC 2006
John D. Ramsdell wrote:
>> All two word fields should have an "_" between the words
>>rather than a space (since we use the space as a delimeter which makes
>>the most sense, we end up with lonely words that need to be ignored
>>currently). Using "_" would make life easier instead.
>
>
> I'm confused. Are you talking about ausearch output, or about the
> names that will be returned by the parsing libraries functions? If
> it's the ausearch output, records of type SOCKADDR fail to meet your
> parsing requirements. It's as if colon becomes the name/value pair
> separator.
>
Currently we have our own parser that reads records directly from
/var/log/audit/audit.log and that's what I am referring to. I am talking
about the way the audit record is printed to the audit log not the
ausearch output.
thanks,
- Loulwa
More information about the Linux-audit
mailing list