A combined audit event message
Matthew Booth
mbooth at redhat.com
Fri Feb 27 21:51:15 UTC 2009
Steve Grubb wrote:
> On Friday 27 February 2009 04:21:37 pm Matthew Booth wrote:
>> This has lead me to explore combining records on the host
>> before sending them out. I'm currently intending to produce messages
>> like this
>
> Combining like this means adding a new character '|' to the decision about
> what constitutes an encoded field. Personally, I am not in favor of any
> radical changes in the next 3-4 months. Just some slow evolution.
Thinking about it, I'm using a combination of space (which presumably is
escaped) and a pipe. The space should mean that escaping isn't a
problem, while the pipe indicates the end of a record. '|' is just like
a field name in this respect. Have I missed something?
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
More information about the Linux-audit
mailing list