Auparse feature or bug
Burn Alting
burn at swtf.dyndns.org
Thu Mar 14 11:10:42 UTC 2013
OK. So, in essence, the example I provided is a just poorly formatted
event from PAM. Or rather, one that can't be parsed by the auparse
library without loss of data.
TIA
On Thu, 2013-03-14 at 06:54 -0400, Steve Grubb wrote:
> On Thursday, March 14, 2013 09:21:30 PM Burn Alting wrote:
> > As you can see, we have lost the 'password' element of the
> > "op=change password"
> > key value pair in the original event.
> >
> > Is this a feature or bug???
>
> Its a feature. The only thing guaranteed by the audit system is that
> name=value pairs are supported. Additional text may be there to add context
> for people reading the event. But for machine parsing only name=value is
> returned. So, if the additional text is needed, then either '-' or '_' can be
> added between words (as many other events do).
>
> -Steve
More information about the Linux-audit
mailing list