auparse question
Miloslav Trmac
mitr at redhat.com
Tue Aug 30 23:18:02 UTC 2011
----- Original Message -----
> I'm using auparse_get_field_type from the parse lib.
> The return value for error is "0" which is also that of the AUDIT_PID
> field.
>
> Right? I am getting some errors that thought they were PIDs.
The return value of auparse_get_field_type() is a value from auparse_type_t defined in auparse-defs.h. 0 is AUPARSE_TYPE_UNCLASSIFIED (i.e. "there is no current field, or we don't know what kind of data is in the field"). AUPARSE_TYPE_* and the AUDIT_* field enums both deal with fields, but are distinct. It is somewhat confusing I'm afraid.
Mirek
More information about the Linux-audit
mailing list