LC Bruzenak wrote: > On Tue, 2008-08-12 at 12:49 -0500, Jonathan Kelly wrote: > >> Hello, >> >> >> >> When using the python auparse library to call >> AuParser.interpret_field() on a multi-word field, only the first word >> in the field is returned. Using get_field_str() instead of >> interpret_field() yields the same output. I have verified that this >> issue exists in the C library, as well as the Python. I suspect that >> this may be an issue for multi-word fields in general, but have not >> noticed any other than 'op'. >> >> >> > > Line forms here...see the following thread: > https://www.redhat.com/archives/linux-audit/2008-June/msg00005.html > > LCB. > > The line started a while ago ... https://www.redhat.com/archives/linux-audit/2008-January/msg00082.html (the discussion "While we're at it" is irrelevant to the current topic) FWIW, I think the proper encoding should be that all string values are enclosed in double quotes and the string encoding follows the same backslash escaping defined for the C language which was subsequently adopted by many other system components which would make it instantly familiar and parseable by many tools. This would be a very simple and welcome fix. More complaints here: https://www.redhat.com/archives/linux-audit/2008-June/msg00009.html -- John Dennis