On 06/26/2011 09:48 AM, Michael Starks wrote:
Here is the current rev (available for one month from the date of this
post): http://pastebin.com/8R6S5L1N
Woops, copy and paste error. The auditd-path decoder should look this this:
<!-- path (will only decode if name is not null)-->
<decoder name="auditd-path">
<parent>auditd</parent>
<prematch offset="after_parent">^PATH </prematch>
<regex offset="after_parent">^(PATH)
msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)"
inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
<order>action,id,extra_data</order>
</decoder>
