From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: auparse question Date: Fri, 06 Jun 2008 14:20:14 -0500 Message-ID: <1212780014.6726.26.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m56JLSYA017067 for ; Fri, 6 Jun 2008 15:21:29 -0400 Received: from magi (rrcs-24-242-137-197.sw.biz.rr.com [24.242.137.197]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m56JKU88001929 for ; Fri, 6 Jun 2008 15:20:30 -0400 Received: from [24.242.137.194] (helo=[192.168.30.40]) by magi with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1K4hTy-0003RD-W3 for linux-audit@redhat.com; Fri, 06 Jun 2008 14:20:15 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com I have successfully sent in a AUDIT_TRUSTED_APP user audit event & viewed that message picked off the stream by audisp. I send in my own n=v pairs. The auparse library code returns all the name elements but on a string value with embedded spaces it stops at the first space. On the sending side I have tried escaping double-quotes, single-quotes, and escaped single-quotes. I read through most of the list entries regarding this and also Steve's auparse text page and I must be missing the answer; apology in advance since after reading through most of the replies I realized it has been discussed thoroughly, but I do not see the answer. I also copied the example in the auparse_feed manpage, compiled that and tried to put some data into a file for an easy example. I cannot seem to get the right format in my event data file however. If someone has an example of that file data it would help, since I'd ideally like to use this setup for quick testing. Thx, LCB. -- LC (Lenny) Bruzenak lenny@magitekltd.com