From: Steve Grubb <sgrubb@redhat.com>
To: lists_todd@mac.com
Cc: linux-audit@redhat.com
Subject: Re: saddr value in connect()
Date: Tue, 6 May 2014 13:55:25 -0400 [thread overview]
Message-ID: <20140506135525.6bfdabb6@ivy-bridge> (raw)
In-Reply-To: <20140505182621.45cb8670@ivy-bridge>
lists_todd@mac.com wrote:
> I’m writing my own parsing code to add Linux analysis to my Mac-based
> BSM audit analysis tools, so I might be asking some “out of left
> field” questions from time to time. I’ve been working my way through
> decoding things like the sockaddr hex blob.
Out of curiosity, why don't you use auparse to write your BSM
reformatter? I used it to reformat audit events into IDMEF events. Its
used for zos log aggregator. We will likely be needing to make changes
soon and it would insulate you from those kinds of issues.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2014-05-06 17:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-05 22:11 saddr value in connect() lists_todd
2014-05-05 22:26 ` Steve Grubb
2014-05-06 0:31 ` lists_todd
2014-05-06 17:55 ` Steve Grubb [this message]
2014-05-15 16:20 ` lists_todd
2014-05-15 16:55 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140506135525.6bfdabb6@ivy-bridge \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=lists_todd@mac.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox