This is somewhat of a feature request, I suppose. I wan't to write a sort of meta-IDS system that will use tools like PAM, Snort, etc as sensors. I was thinking that the most easy way to get info (however, not the most high performance way) would be to just read syslog. However, I'm running into the problem that PAM does not really seem to have any rules in how it logs - there's no specific defined grammar used. This makes it tough for parsing, and for converting to other languages. The solution that I see, is to define error codes that would prefix a logged message, and a defined grammer for arguements of each message - this so that in new versions there'll be less chance of change that would break parsers. Thoughts? I dont know PAM/C enough to implement that sort of change (I dont think that I do anyway)... but it's something that I think would benifit users of pam :) Thanks, Mathew Johnston
