On Tuesday, September 14, 2021 9:55:48 PM EDT Enzo Matsumiya wrote: > When audit.log is opened with cat or less, for example, with log format > = ENRICHED, there's no space between data and the enriched part, only > AUDIT_INTERP_SEPARATOR (0x1d):
This is by design. > type=USER_CMD msg=audit(1631669179.082:2403): ... res=success'UID="enzo" > AUID="unset" ^ (0x1d) > > sep_done should be checked if it's 1 as well, so a space is added before > the first enriched field. Why? Thanks, -Steve > Signed-off-by: Enzo Matsumiya <ematsum...@suse.de> > --- > src/auditd-event.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/auditd-event.c b/src/auditd-event.c > index 788c44a08197..636553187279 100644 > --- a/src/auditd-event.c > +++ b/src/auditd-event.c > @@ -365,7 +365,7 @@ static int add_simple_field(auparse_state_t *au, size_t > len_left, int encode) > > // Setup pointer > ptr = &format_buf[FORMAT_BUF_LEN - len_left]; > - if (sep_done > 1) { > + if (sep_done >= 1) { > *ptr = ' '; > ptr++; > num = 1; -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit