<div dir="ltr"><br><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Fri, Nov 13, 2015 at 1:43 PM, Fekete, Róbert <span dir="ltr"><<a href="mailto:robert.fekete@balabit.com" target="_blank">robert.fekete@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi, <div><br></div><div>I've seen that you had a few patches merged to 3.7.2, and I'm not sure what to include in the docs about them: </div><div><br></div><div> - There were some csv-parser changes, is any of them user-visible?</div></div></blockquote><div><br></div><div>well, not that much. the only user-visible change is that the contents of the delimiters() option can now come in any order, whereas it required a specified order before (chars and then strings), but I think that never was intended, and is probably not documented either.<br><br></div><div>There are new features in csv-parser() in current master though (which is going to be published as 3.8)<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div> - What does linux-audit-parser do? Does it require any configuration, or it just works?</div></div></blockquote><div><br></div><div>it processes the format produced by auditd. It has two options:<br><br><ul><li>template() same as with other parsers, it specifies the input to be parsed (defaults to $MSG like everywhere else)<br></li><li>prefix() specifies the name-value prefix to be prepended to values parsed (defaults to the empty string).</li></ul><p>The some fields in the audit log are encoded in hexadecimal form if they contain space or non-printable characters. linux-audit-parser() will automatically decode these fields, <br></p><p> "name",<br> "proctitle",<br> "path",<br> "dir",<br> "comm",<br> "ocomm",<br> "data",<br> "old",<br> "new",<br></p><p>and a hard-coded pattern (a[:digits:]* will be decoded as well), the rest is kept intact.<br></p></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Thanks!</div><div><br></div><div>Robert</div></div>
</blockquote></div><br></div></div>