John D. Ramsdell wrote:
> All two word fields should have an "_" between the
words
>rather than a space (since we use the space as a delimeter which makes
>the most sense, we end up with lonely words that need to be ignored
>currently). Using "_" would make life easier instead.
I'm confused. Are you talking about ausearch output, or about the
names that will be returned by the parsing libraries functions? If
it's the ausearch output, records of type SOCKADDR fail to meet your
parsing requirements. It's as if colon becomes the name/value pair
separator.
Currently we have our own parser that reads records directly from
/var/log/audit/audit.log and that's what I am referring to. I am talking
about the way the audit record is printed to the audit log not the
ausearch output.
thanks,
- Loulwa