in cmd/auparse/auparse.go [132:185]
func (s *streamHandler) outputMultipleMessages(msgs []*auparse.AuditMessage) error {
var err error
if !*interpret {
if _, err = s.output.Write([]byte("---\n")); err != nil {
return err
}
for _, m := range msgs {
if err = s.outputSingleMessage(m); err != nil {
return err
}
}
return nil
}
event, err := aucoalesce.CoalesceMessages(msgs)
if err != nil {
log.Printf("failed to coalesce messages: %v", err)
return nil
}
if *idLookup {
aucoalesce.ResolveIDs(event)
}
switch *format {
case "json":
if err := s.printJSON(event); err != nil {
log.Printf("failed to marshal event to JSON: %v", err)
}
case "yaml":
if _, err := s.output.Write([]byte("---\n")); err != nil {
return err
}
if err := s.printYAML(event); err != nil {
log.Printf("failed to marshal message to YAML: %v", err)
}
default:
sm := event.Summary
if _, err := s.output.Write([]byte("---\n")); err != nil {
return err
}
_, err := fmt.Fprintf(
s.output,
`time="%v" sequence=%v category=%v type=%v actor=%v/%v action=%v thing=%v/%v how=%v tags=%v`+"\n",
event.Timestamp, event.Sequence, event.Category, event.Type, sm.Actor.Primary, sm.Actor.Secondary,
sm.Action, sm.Object.Primary, sm.Object.Secondary, sm.How, event.Tags,
)
if err != nil {
return err
}
}
return nil
}