Re: Audit Parsing Library Requirements

Steve Grubb <sgrubb(a)redhat.com&gt; writes: Please do not separate fields with commas. The length of each line is way too long as it is. Furthermore, when ausearch interprets numeric entities into text, there is a simple, lex-based program can format the output into XML with the following DTD: <!ELEMENT au (seq)*> <!ELEMENT seq (tab)+> <!ELEMENT tab (ent)+> <!ELEMENT ent EMPTY> <!ATTLIST ent key CDATA #REQUIRED val CDATA #IMPLIED> The output can then be consumed with another, very simple Python program: --------------------- consume.py ------------------------- import sys, xml.sax, xml.sax.handler def main(): if len(sys.argv) != 2: print "Usage: " + sys.argv[0] + " FILE" else: xml.sax.parse(sys.argv[1], AuditHandler()) class AuditHandler(xml.sax.handler.ContentHandler): seq = None tab = None def startElement(self, name, attrs): if name == 'seq': self.seq = [] elif name == 'tab': self.tab = {} elif name == 'ent' and attrs.has_key("key") and attrs.has_key("val"): self.tab[attrs.getValue("key")] = attrs.getValue("val") def endElement(self, name): if name == 'tab': self.seq.append(self.tab) elif name == 'seq': consume(self.seq) def consume(seq): print 'seq', len(seq) # Do something interesting here if __name__ == "__main__": main() --------------------- consume.py ------------------------- I see value in having a way to consume ausearch output without having access to audit development libraries. If I want to write a one off audit analysis tool, the combination of the XML formatter and a simple Python script would greatly shorten the time required to write the analysis tool. Having that tool is allowing me to analyze audit data right now. The program that converts ausearch output into XML is called auxml, and is in the CVS repository of the polgen project on SourceForge, in the pkg/auxml directory of the polgen module. The package includes a manual page. John