On 09/14, Steve Grubb wrote:
On Tuesday, September 14, 2021 9:55:48 PM EDT Enzo Matsumiya wrote:
When audit.log is opened with cat or less, for example, with log format
= ENRICHED, there's no space between data and the enriched part, only
AUDIT_INTERP_SEPARATOR (0x1d):
This is by design.
I understand that, and the patch doesn't break it.
type=USER_CMD msg=audit(1631669179.082:2403): ... res=success'UID="enzo"
AUID="unset" ^ (0x1d)
sep_done should be checked if it's 1 as well, so a space is added before
the first enriched field.
Why?
Some people still rely on opening audit.log with tools that are not aware
of the log format.
As far as I could test, the change is only cosmetic, as I expected. I did a
basic test with ausearch and it was ok.
Please clarify if you expect anything else to be affected by this
change.
Cheers,
Enzo
--
Linux-audit mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/linux-audit
