-- Bazsi On Fri, Nov 13, 2015 at 1:43 PM, Fekete, Róbert <robert.fekete@balabit.com> wrote:
Hi,
I've seen that you had a few patches merged to 3.7.2, and I'm not sure what to include in the docs about them:
- There were some csv-parser changes, is any of them user-visible?
well, not that much. the only user-visible change is that the contents of the delimiters() option can now come in any order, whereas it required a specified order before (chars and then strings), but I think that never was intended, and is probably not documented either. There are new features in csv-parser() in current master though (which is going to be published as 3.8)
- What does linux-audit-parser do? Does it require any configuration, or it just works?
it processes the format produced by auditd. It has two options: - template() same as with other parsers, it specifies the input to be parsed (defaults to $MSG like everywhere else) - prefix() specifies the name-value prefix to be prepended to values parsed (defaults to the empty string). The some fields in the audit log are encoded in hexadecimal form if they contain space or non-printable characters. linux-audit-parser() will automatically decode these fields, "name", "proctitle", "path", "dir", "comm", "ocomm", "data", "old", "new", and a hard-coded pattern (a[:digits:]* will be decoded as well), the rest is kept intact.
Thanks!
Robert