On Thu, 26.03.15 13:56, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
> On Thu, Mar 26, 2015 at 09:42:45AM +0100, Lennart Poettering wrote: > > On Sun, 15.03.15 03:51, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) > > wrote: > > > > > On Sun, Mar 15, 2015 at 03:49:07AM +0100, Zbigniew Jędrzejewski-Szmek > > > wrote: > > > > Hi, > > > > > > > > I was looking at some debug logs, and the audit messages are > > > > semi-useless in their current undecoded form: > > > > > > > > mar 14 22:24:02 fedora22 audit[1]: <audit-1130> pid=1 uid=0 > > > > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 > > > > msg='unit=systemd-udev-trigger comm="systemd" > > > > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' > > > > mar 14 22:24:05 fedora22 audit: <audit-1327> > > > > proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0069707461626C655F7365637572697479 > > > > > > > > You added code to parse this, and I think we should make use of it and > > > > put msg= field as MESSAGE=, and maybe store the original message as > > > > _AUDIT= or something. If there's no msg field, like with proctitle, > > > > print all fields that are in the message, but using our cescape, and > > > > not this hexadecimal form which is unreadable for humans. > > > > > > I think we should also translate type= to names... > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Audit_Record_Types.html > > > > Well, we don't translate MESSAGE_ID fields to strings either... > > Here the mapping is stable, and maintained in one place... I think it's more > like dns TYPE field, completely reversible, then MESSAGE_IDs. I think generating a translation table automatically from the headers like we do for input keys should be OK. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
