stevegrubb
commented
4 years ago Closed bigon closed 3 years ago
stevegrubb
commented
4 years ago 
bigon
commented
4 years ago There is a ^] caratecter between key=(null) and ARCH=x86_64
stevegrubb
commented
4 years ago Yes, this is what the enriched format specification calls for: https://github.com/linux-audit/audit-documentation/wiki/SPEC-Audit-Event-Enrichment I tried to quote this above and it somehow got erased.
bigon
commented
3 years ago Thanks, I learned something today.
sgpinkus
commented
3 years ago Thanks @bigon, @stevegrubb.
Have to say, this seems like an odd choice of separator for a human readable log. ^] doesn't print at all on my terminal. I guess it's too hard to change at this point :).
Cheers.
stevegrubb
commented
3 years ago The choice is because "Group Separator" makes sense. There is a group of raw data, and a group of translated data. The translated data is meant to be hidden from view and only used to fill in translations. If, however, you wanted to have this in syslog, the syslog plugin removes the Group Separator since the data no longer part of the audit system.
sgpinkus
commented
3 years ago Hmm OK. On my system (Debian) the body of the /var/log/audit/audit.log and the syslog plugin log appear identical except for ^] separator. That's kind of unexpected. They are both text logs. There is a valid use case for keeping it in audit.log output? I'm sure there is someone relying on it anyway, so .. np.
stevegrubb
commented
3 years ago Generally people sending logs to syslog intend to use splunk/ELK/graylog/alianvault/etc. In that case there is no reason to separate them. But for audit native tool use, the separator is used to hide the translation metadata. There are people that have scripted reports using audit native logs.
Hello,
I just got the following bug on debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975117 I can confirm this with version 3.0~alpha9.
On my machine, I see the following:
As you can see I've a control character between the two