From mboxrd@z Thu Jan  1 00:00:00 1970
From: John Dennis <jdennis@redhat.com>
Subject: Re: Advice on enriching logs with user and group names before moving
	them to a central log repository
Date: Thu, 02 Aug 2012 17:19:56 -0400
Message-ID: <501AEEFC.6020301@redhat.com>
References: <378292340.14664596.1343941945408.JavaMail.root@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <378292340.14664596.1343941945408.JavaMail.root@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Miloslav Trmac <mitr@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On 08/02/2012 05:12 PM, Miloslav Trmac wrote:
> I'm not 100% sure what you mean, but is perhaps
> auparse_interpret_field what you are looking for?  It returns an
> "intepreted" (as opposed to "raw") version of the field, e.g. a name
> instead of an UID.

Yes, that's the correct function to call. However it should be done by a 
plugin which iterates over all the items and adds an interpreted result 
to the raw result. For long term detached audit purposes you need both 
the raw and interpreted value. The plugin then emits the augmented data 
containing both the raw and interpreted values.

-- 
John Dennis <jdennis@redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/