Dispatcher - single line output (perl)

There have been a few requests on this list for a single-line-per-event output format. little challenging due to the potential memory/cache requirements - having to save off the 'pieces' of an event from initiation to exit, could be quite expensive when we're talking in-kernel resources. Hence, we're left with an audit output that could: * Have an arbitrary number of lines per unique event, * Be chronologically distributed in some cases (event lines may be spread over several seconds), * Be out of sequence (numerically - two lines from event A, might be followed by 1 line from event B, then another line from event A, followed by the rest of event B). * Have multiple 'items' with the same name (eg: source/dest UID's for a CHMOD have the same 'name/key', though they are on different lines). (Please let me know if these assumptions are incorrect!) However, the dispatcher infrastructure offers the potential to implement this sort of functionality in user-space. As such, I've been playing with some perl that should translate SYSCALL events to something that should be reasonably parse-able by follow-on processing applications that expect events in a single-line form (eg: logwatch, a SQL-based data injector, Snare or Snare Server). Here's a sample line. Note that events are in header/data format (tab delimited between components, comma delimited within a component). rhel4 LinuxKAudit event,11,20060509 06:36:25 user,0(root),0(root),0(root),0(root) process,25068,id path,/usr/bin/id return,0,yes a0,9f96ba8 a1,9f96b28 a2,9f84b40 a3,9f96b28 arch,40000003 auid,4294967295 exe,/usr/bin/id fsgid,0 fsuid,0 items,2 sgid,0 suid,0 The program works roughly as follows: while read line break line up into key/value pairs pop the key/value data into an associative array (with a key of the event number) if we have an items=x key/value pair saved off for this event number, and we have 'x' PATH-related lines now, then we must have a complete event. Push it out. ALSO push out any events that we haven't had any new lines for, for more than 15 seconds. .. We also getpwname/getgrname (with an internal cache to avoid recursive audit events), and an internal simple realpath() to turn /path/to/blah/../../to/somewhere into /path/to/somewhere. The raw perl is attached. Does anyone have any comments, or suggestions? (I don't care about structure at this point - it's early days yet - I'm sure perl aficionados could do the entire program in a single line). In particular, comments would be welcome on how to absolutely, programatically determine when an 'event' is complete, and it is safe to push out our final 'line'. Regards, Leigh.