On Thursday, February 11, 2016 06:07:56 PM Sowndarya K wrote: > As of now there are so many proposed fields in the audit event log , if I > wanted to one proposed field which is of not use as much ,which one can I > chose for ?
The audit event known fields is kind of an agreement on what fields names shall be and what goes in them. There is a larger context in that events of the same type must have the same fields, in the same order, and using the same representation. Otherwise no one can ever analyse events because nothing has order. So, what is it you are trying to do? That would be a more helpful question so that we can give you a more rounded answer. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
