Questions about the standard (Google Summer of Code Project)

Hi, I participate in Google Summer of Code and my project involves converting Linux Audit logs to BSM logs. As I was writing a parser and converter I stumbled upon a couple of things I do not understand and I cannot find in the documentation: 1. Where are all the elements like auditd start, user, etc. listed? I cannot find any document which specifies what can occurs between the colon (separating the type and the msg=audit(…) from the fields) and the record’s fields. 2. Why are there two spaces between the colon and the first field in records of type=CWD and a field cwd=“/root”? Here’s an example: type=CWD msg=audit(1464013682.961:409): cwd="/root” 3. According to Red Hat’s documentation[1]: a) Is a white space always a space? Can be any white space like the tab character? b) Why do some records are separated by a comma and a whitespace? Example: type=DAEMON_START msg=audit(1363713609.192:5426): auditd start, ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=500 pid=4979 subj=unconfined_u:system_r:auditd_t:s0 res=success I’ve posted the question on Unix & Linux SE: [3]. 4. Is it possible that there are duplicate fields in a record? Something like (which doesn’t make much sense obviously): type=CWD msg=audit(1464013682.961:409): cwd="/root” cwd=“/usr” I’ve already asked a similar question on Unix & Linux SE: [4]. 5. Is there a document which answers my questions? That would be cool! Thanks a lot for help! Cheers! Matuesz Piotrowski [GSoC project’s wiki]: https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools <https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools> [1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/... <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/... [3]: http://unix.stackexchange.com/questions/293975/undocumented-format-of-lin... <http://unix.stackexchange.com/questions/293975/undocumented-format-of-lin... [4]: http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-nam... <http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-nam...