Re: Audit Parsing Library Requirements
On Friday 10 March 2006 17:45, Debora Velarde wrote:
1. In this case would auparse_get_host(auparse_state_t *au) retrieve
the
hostname of this record?
It would retrieve the name of the machine that the audit message came from. In
this format, it would default to the rough equivalent of "uname -n". The
record format will change to accommodate a host field. This is needed so that
a data center can have a central logger that stores everything.
2. Will the user have to extract the values of 'user' and
'exe' from the
entire value of 'msg' themselves?
No. look at the example code. You would do
if (auparse_find_field(au, "user") {
const char *str = auparse_get_field_str(au);
do-whatever(str);
}
Or can the API return the values for those individually?
Yes.
-Steve