On Mon, 2016-03-21 at 12:14 +0530, Deepika Sundar wrote:
Hi All,
Audit log contains already defined <name>=<value> pair in each
record.Is there any possibility to add new field <name>=<value>? and
Is there any compatibility issues associated with it ? please specify
if any.
We discussed this last month as per below. So what do you want to do?
On Friday, February 12, 2016 12:06:54 AM Burn Alting wrote:
Steve,
Perhaps we could update the above document to advise users
what they
should offer in such a proposal.
Good point. Usually they come to the list and say I am working
on a daemon
that needs to write something to the audit log whenever this
kind of thing
happens. How should I record it.
This leads to a better conversation because not everything is a
candidate for
the audit logs. That doesn't mean it doesn't need to be
recorded, it just
means it needs to go somewhere else.
For example, tcp_wrappers can reject connections. Should that go
into audit
logs automatically? No way. Same with web application access
control. These
are important enough to be logged, but they belong in an
application log.
Perhaps further, we could offer a generic solution on how one
could
define a 'non-public' field name. That is, a
'non-public'
field is one
which could not, via it's nomenclature, conflict with a
current or
future 'public' (aka published) field name. Such non-public
fields could
then be used by capability that only needs the audit source
and audit
consumer to be aware of the field.
That's a good point. I'm pretty sure 'private-' will never be
used for a prefix
to any field. That said, if this is going into an existing
event, we really
need to have a discussion about that. This affects all third
party's that try
to make sense of the audit logs,
-Steve