From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Linux-audit Digest, Vol 40, Issue 9
Date: Wed, 16 Jan 2008 08:59:45 -0500
Message-ID: <200801160859.45468.sgrubb@redhat.com>
References: <20080114170028.0385D73507@hormel.redhat.com>
	<770716a30801152259l3b97d79crea2de5bd66033d1e@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <770716a30801152259l3b97d79crea2de5bd66033d1e@mail.gmail.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: kunal chandarana <chandarana.kunal@gmail.com>
List-Id: linux-audit@redhat.com

On Wednesday 16 January 2008 01:59:34 kunal chandarana wrote:
> Is there a way to map this audit type to the fields.

I don't have a map of each type. They can all be found by code inspection. For 
kernel, I'd recommend using LXR.

http://lxr.linux.no/linux/include/linux/audit.h

Look at explanation about ranges. Look for kernel record types and click on 
the define to see where they are used. From that you can click to the code 
that uses it.

Alternatively, you could run one of the audit test suites and then maybe see 
what each audit record looks like.

-Steve