Audit Parsing Library Requirements
Steve Grubb
sgrubb at redhat.com
Thu Mar 9 16:06:47 UTC 2006
On Wednesday 08 March 2006 10:39, Steve Grubb wrote:
> I'll take a hack at proposing an API and send it in a little while.
OK, here's what I have:
The audit library parser could have the following functions:
auparse_init - allow init of library. Set data source: logs, file, buffer.
ausearch_set_param - set search options
ausearch_next_event - traverse to the next event that yields a match based on
search criteria.
auparse_next_event - traverse to next event. This allows access to time and
serial number.
auparse_get_time - retrieve time stamp of current record
auparse_get_serial - retrieve serial number of current record
auparse_first_record - set iterator to first record in current event
auparse_next_record - traverse to next record in event. This allows access to
the event type
auparse_get_type - retrieve type of current record
auparse_first_field - set field pointer to first in current record
auparse_next_field - traverse the fields in a record
auparse_find_field() - find a given field in a event or record
auparse_find_field_next() - find the next occurance of that field in the same
record
auparse_get_field_str - return current field value as a string
auparse_get_field_int - return current field value as an int
auparse_interpret_field - interpret the current field as a string
auparse_destroy - free all data structures and close file descriptors
This would allow the following kind of programming:
auparse_init
ausearch_set_param
while ausearch_next_event
if auparse_find_field
auparse_interpret_field
print out
...
auparse_destroy
This is essentially how ausearch works.
The data structures would be hidden from the external application. Access to
fields is a name/value style. You access the fields through functions that
either return str pointer or ints.
Would something like this meet everyone's needs?
-Steve
More information about the Linux-audit
mailing list