Auparse feature or bug
Steve Grubb
sgrubb at redhat.com
Thu Mar 14 10:54:20 UTC 2013
On Thursday, March 14, 2013 09:21:30 PM Burn Alting wrote:
> As you can see, we have lost the 'password' element of the
> "op=change password"
> key value pair in the original event.
>
> Is this a feature or bug???
Its a feature. The only thing guaranteed by the audit system is that
name=value pairs are supported. Additional text may be there to add context
for people reading the event. But for machine parsing only name=value is
returned. So, if the additional text is needed, then either '-' or '_' can be
added between words (as many other events do).
-Steve
More information about the Linux-audit
mailing list