From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Re: A combined audit event message
Date: Fri, 27 Feb 2009 21:51:15 +0000
Message-ID: <49A86053.5080302@redhat.com>
References: <49A85961.4070007@redhat.com>
	<200902271628.58427.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200902271628.58427.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Steve Grubb wrote:
> On Friday 27 February 2009 04:21:37 pm Matthew Booth wrote:
>> This has lead me to explore combining records on the host
>> before sending them out. I'm currently intending to produce messages
>> like this
> 
> Combining like this means adding a new character '|' to the decision about 
> what constitutes an encoded field. Personally, I am not in favor of any 
> radical changes in the next 3-4 months. Just some slow evolution.

Thinking about it, I'm using a combination of space (which presumably is
escaped) and a pipe. The space should mean that escaping isn't a
problem, while the pipe indicates the end of a record. '|' is just like
a field name in this respect. Have I missed something?

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490