Re: Audit Parsing Library Requirements

On Fri, Mar 10, 2006 at 01:42:00PM -0600, LC Bruzenak wrote: There's two separate issues here: - audit records that contain the same field name twice for different purposes in a single record. I think this happens in a couple of places where uid or something like that is re-used. My preference would be to consider this a bug in the audit generation that needs fixing, instead of having the parser handle it. (As a side note, any remaining tag names containing spaces should also be fixed...) - multiple related audit records for a single event that contain several instances of the same tag, for example a syscall such as rename() that generates multiple path tags for source and destination. I'm not sure how those get handled, is that what this is intended for? Does the auparse library handle merging of related records for single events, or is that left for higher level code? -Klaus