----- Original Message ----- > I'm using auparse_get_field_type from the parse lib. > The return value for error is "0" which is also that of the AUDIT_PID > field. > > Right? I am getting some errors that thought they were PIDs. The return value of auparse_get_field_type() is a value from auparse_type_t defined in auparse-defs.h. 0 is AUPARSE_TYPE_UNCLASSIFIED (i.e. "there is no current field, or we don't know what kind of data is in the field"). AUPARSE_TYPE_* and the AUDIT_* field enums both deal with fields, but are distinct. It is somewhat confusing I'm afraid. Mirek
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
