Proposed additions to ausearch

I want to add a number of features to ausearch and would like the list to make comment on my proposals before implementing same. #1 Have ausearch only output whole events (all supplemental records of an event must be present in the audit.log files to be output) and maintain state to know the last whole event displayed. The use case is for when one periodically processes the audit log files and the last log file opened does not necessarily hold whole events for the last few events in the file. One could possibly achieve this using the --start/--end arguments to ausearch but it would be challenging to work out the appropriate start/end times on a high log throughput system. My plan is to maintain state recording the last whole event displayed along with details of the file it resided in (eg inode, etc). #2 Add a 'parser friendly' option to ausearch's -i output such that it is more friendly for parsing. As we know, the -i argument causes output in the form of - a "header" comprising - the node if present as a key value pair - the event type as a key value pair - the message date/time and serial - a colon - a series of key value pairs The new option would have output that - surrounds all values with double quotes - escape embedded double quote and backslash characters in the value with the backslash character '\' - translate embedded newlines or carriage returns into '\n' and '\r' respectively - translate all non-printing characters into escaped octal values or some other recommended text based format. #3 Add an option to include the original value as well as the interpreted value when interpretation (-i) is requested. This would be for specified keys or, key types. One use case would be for user or group names to include the original uid/gids. This is to aid de-conflicting inadvertent user or group attribution across an enterprise environment. The option would have arguments that identify what key values will have both original and interpreted values. Regards Burn Alting