Audit Parsing Library Requirements

Debora Velarde dvelarde at us.ibm.com
Thu Mar 9 17:03:59 UTC 2006 

If I want to match on two params (say syscall name and group id) would I 
call ausearch_set_param twice or pass ausearch_set_param all my parameters 
in one call?  Can you post how you imagine the call to look like?

linux-audit-bounces at redhat.com wrote on 03/09/2006 08:06:47 AM:

> On Wednesday 08 March 2006 10:39, Steve Grubb wrote:
> > I'll take a hack at proposing an API and send it in a little while.
> 
> OK, here's what I have:
> 
> The audit library parser could have the following functions:
> 
> auparse_init - allow init of library. Set data source: logs, file, 
buffer.
> ausearch_set_param - set search options
> ausearch_next_event - traverse to the next event that yields a match 
based on
> search criteria.
> auparse_next_event - traverse to next event. This allows access to time 
and
> serial number.
> auparse_get_time - retrieve time stamp of current record
> auparse_get_serial - retrieve serial number of current record
> auparse_first_record - set iterator to first record in current event
> auparse_next_record - traverse to next record in event. This allows 
access to
> the event type
> auparse_get_type - retrieve type of current record
> auparse_first_field - set field pointer to first in current record
> auparse_next_field  - traverse the fields in a record
> auparse_find_field() - find a given field in a event or record
> auparse_find_field_next() - find the next occurance of that field inthe 
same 
> record
> auparse_get_field_str - return current field value as a string
> auparse_get_field_int -  return current field value as an int
> auparse_interpret_field - interpret the current field as a string
> auparse_destroy - free all data structures and close file descriptors
> 
> This would allow the following kind of programming:
> 
> auparse_init
> ausearch_set_param
> while ausearch_next_event
>         if auparse_find_field
>                 auparse_interpret_field
>                 print out
> 
>         ...
> auparse_destroy
> 
> This is essentially how ausearch works.
> 
> The data structures would be hidden from the external application. 
Access to 
> fields is a name/value style. You access the fields through functions 
that 
> either return str pointer or ints.
> 
> Would something like this meet everyone's needs?
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list