Questions about the standard (Google Summer of Code Project)
Mateusz Piotrowski
0mp at FreeBSD.org
Thu Jul 14 16:10:00 UTC 2016
Hello,
Thank you for your reply! It is absolutely amazing. It clarified a lot.
>> b) Why do some records are separated by a comma and a
>> whitespace? Example:
>>
>> type=DAEMON_START msg=audit(1363713609.192:5426): auditd start,
>> ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=500 pid=4979
>> subj=unconfined_u:system_r:auditd_t:s0 res=success
>
> A long time ago the records were meant to be both human readable (don't laugh)
> and machine consumable. Over time these have been converted name=value pairs.
> Even the one you mention above has been fixed.
I am not sure if I understood; does it mean that: `auditd start, ver=2.2` is outdated and deprecated? I’m confused because y Debian did produced a log file with this element.
Cheers,
-m
More information about the Linux-audit
mailing list