On Wednesday 10 May 2006 14:05, Linda Knippers wrote: > We have existing code we're supporting that doesn't use your parser and > we're not planning to re-write our code.
You'll have to make some mods to it, things have changed in various places. > I don't know how many other people are in the same position. I also think > its helpful if the output of ausearch is easily grepable. It will be. Nothing has changed here. > I think what these examples show is that there is no consistency. It shows that modifiers are not being added to every keyword. > > "audit_rate_limit=%d old=%d by auid=%u" > > "audit_backlog_limit=%d old=%d by auid=%u" > > What does "by" signify as a modifier? Its not a modifier, its there for human readability. > >>especially since there's currently no well defined concept of name > >> modifiers like "new" > > > > Its used in many places, but you are more likely to run across old. The > > function in the specs that was intended to do this was: > > > > const char *auparse_get_field_name_aux(auparse_state_t *au) - return > > supplemental information about the field's name. > > If I used the APIs then I have to look at the aux information for a > bunch of records I don't want because I can't directly search for the > ones I do? Or use reg expr matching. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
