Hi<br>I have a case where I need to audit some command which goes like:<br><br>cmd -a foo -b -c -query &#39;some query&#39;<br><br>What I get in the audit log is:<br><br>type=EXECVE msg=audit(1282117611.037:27469599): argv<span class="error">[0]</span>=&quot;cmd&quot; argv<span class="error">[1]</span>=&quot;-a&quot; argv<span class="error">[2]</span>=&quot;foo&quot; argv<span class="error">[3]</span>=&quot;-b&quot; argv<span class="error">[4]</span>=&quot;-c&quot; argv<span class="error">[5]</span>=&quot;-query&quot; argv<span class="error">[6]</span>=737472626567696E73287468726561645F69642C227468726561645F69643D32333639383932662229 <br>
<br>The argv[6] is even sometimes like &#39;arg,&quot;id=123&quot;&#39; , I guess that doesn&#39;t make much difference..<br><br>Is there any way to catch the quoted argument as it is and not as an interesting longstring?<br>
<br>Tnx<br>Jure<br>