We already have examples with up to 253 arguments, and so we would not want to specify hundreds of identical elements in the schema.
I’m looking for something that will allow me to iterate on an arbitrary number of arguments, up to a sensible limit. Simon Godden On Mon, 4 Nov 2024 at 17:23, Steve Lawrence <slawre...@apache.org> wrote: > Note that I believe with type=EXECVE audit logs, the parameter names are > constant (e.g. it's always executable, a0, a1, etc.). If you know all the > parameter names, which I think we do in this case, we can use > tags/initiators to > select the correct element which would allow you to get something like the > first > representation. > > On 2024-11-04 12:01 PM, Mike Beckerle wrote: > > You cannot convert data values to element names in DFDL. The best you > could do > > would be something like: > > > > <program-call> > > <elecutable>/bin/foo</executable> > > <arg><name>a0</name><value>arg0</value></arg> > > <arg><name>a1</name><value>arg1</value></arg> > > ... > > </program-call> > > > > On Mon, Nov 4, 2024 at 11:47 AM simon godden <sgod...@gmail.com > > <mailto:sgod...@gmail.com>> wrote: > > > > I have linux auditd input representing a program call and its > > arguments with data such as this: > > > > type=EXECVE executable=/bin/foo a0=arg1 a1=arg2 a2=arg3 > > > > where the number of arguments is arbitrary > > > > Is it possible to parse this to a representation such as > > > > <program-call> > > <executable>/bin/foo</executable> > > <a0>arg1</a0> > > <a1>arg2</a1> > > <a2>arg3</a2> > > </program-call> > > > > in a way that will also unparse to the original content, and bearing > > in mind that the number of arguments is arbitrary (although we would > > impose a suitable maximum). > > > > -- > > Simon Godden > > > >
