All, I note when interpreting raw audit with the ausearch --interpret option, the code in src/ausearch-report.c:output_interpreted_node(), when parsing key value pairs which are not enclosed in double or single quotes, looks for embedded comma's in the value part and, if found, effectively terminates the value at the comma. This in effect, makes the data after the comma the start of the next key (if any). There are some exceptions in the code (audit_type == AUDIT_VIRT_MACHINE_ID, AUDIT_OBJ_PID, AUDIT_PATH and AUDIT_IPC).
What sort of input is this addressing? Are there examples? Thanks in advance Burn -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
