Hello, Thank you for your reply! It is absolutely amazing. It clarified a lot.
>> b) Why do some records are separated by a comma and a >> whitespace? Example: >> >> type=DAEMON_START msg=audit(1363713609.192:5426): auditd start, >> ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=500 pid=4979 >> subj=unconfined_u:system_r:auditd_t:s0 res=success > > A long time ago the records were meant to be both human readable (don't > laugh) > and machine consumable. Over time these have been converted name=value pairs. > Even the one you mention above has been fixed. I am not sure if I understood; does it mean that: `auditd start, ver=2.2` is outdated and deprecated? I’m confused because y Debian did produced a log file with this element. Cheers, -m -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
