From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Linux-audit Digest, Vol 40, Issue 8 Date: Mon, 14 Jan 2008 06:27:28 -0500 Message-ID: <200801140627.28303.sgrubb@redhat.com> References: <20080112170028.73224734B4@hormel.redhat.com> <770716a30801140306x5d7e5d9cha9f812aa8fe6f3fa@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <770716a30801140306x5d7e5d9cha9f812aa8fe6f3fa@mail.gmail.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: kunal chandarana List-Id: linux-audit@redhat.com On Monday 14 January 2008 06:06:33 kunal chandarana wrote: > In audit logs one field which is always present is "TYPE". > > What does this type indicate ? It signifies the record's type. > If this type indicates the symbolic constants which are defined in > linux/audit.h then types like USER_AUTH, USER_ACCT, CRED_ACQ etc are not > defined in that particular file. in audit.h, things are name spaced so they don't collide with defines elsewhere. They all have an AUDIT_ prefix. So, if you wanted to mape them, AUDIT_USER_LOGIN would be printed as USER_LOGIN. There is a function that does this mapping from number to string and another string to number. From libaudit.h: extern int audit_name_to_msg_type(const char *msg_type); extern const char *audit_msg_type_to_name(int msg_type); You should not have to write this function yourself since the audit libraries have conversion functions. -Steve