----- Original Message -----
> 2) Write an audispd plugin that used the sd-journal API to store
> audit events in the journal.
>
> 3) Add sd-journal as a log format to auditd.
Both of these will run into the problem recently discussed on this mailing
list: the available methods to parse an audit records into fields are a bit
imprecise/"lossy" because not all records keep the name=value format as
expected.
This can be OK if auparse is able to extract all the data you need/expect to
process.
Mirek
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit