I have linux auditd input representing a program call and its arguments with data such as this:
type=EXECVE executable=/bin/foo a0=arg1 a1=arg2 a2=arg3 where the number of arguments is arbitrary Is it possible to parse this to a representation such as <program-call> <executable>/bin/foo</executable> <a0>arg1</a0> <a1>arg2</a1> <a2>arg3</a2> </program-call> in a way that will also unparse to the original content, and bearing in mind that the number of arguments is arbitrary (although we would impose a suitable maximum). -- Simon Godden
