Audit Parsing Library Requirements
Debora Velarde
dvelarde at us.ibm.com
Thu Mar 9 17:03:59 UTC 2006
If I want to match on two params (say syscall name and group id) would I
call ausearch_set_param twice or pass ausearch_set_param all my parameters
in one call? Can you post how you imagine the call to look like?
linux-audit-bounces at redhat.com wrote on 03/09/2006 08:06:47 AM:
> On Wednesday 08 March 2006 10:39, Steve Grubb wrote:
> > I'll take a hack at proposing an API and send it in a little while.
>
> OK, here's what I have:
>
> The audit library parser could have the following functions:
>
> auparse_init - allow init of library. Set data source: logs, file,
buffer.
> ausearch_set_param - set search options
> ausearch_next_event - traverse to the next event that yields a match
based on
> search criteria.
> auparse_next_event - traverse to next event. This allows access to time
and
> serial number.
> auparse_get_time - retrieve time stamp of current record
> auparse_get_serial - retrieve serial number of current record
> auparse_first_record - set iterator to first record in current event
> auparse_next_record - traverse to next record in event. This allows
access to
> the event type
> auparse_get_type - retrieve type of current record
> auparse_first_field - set field pointer to first in current record
> auparse_next_field - traverse the fields in a record
> auparse_find_field() - find a given field in a event or record
> auparse_find_field_next() - find the next occurance of that field inthe
same
> record
> auparse_get_field_str - return current field value as a string
> auparse_get_field_int - return current field value as an int
> auparse_interpret_field - interpret the current field as a string
> auparse_destroy - free all data structures and close file descriptors
>
> This would allow the following kind of programming:
>
> auparse_init
> ausearch_set_param
> while ausearch_next_event
> if auparse_find_field
> auparse_interpret_field
> print out
>
> ...
> auparse_destroy
>
> This is essentially how ausearch works.
>
> The data structures would be hidden from the external application.
Access to
> fields is a name/value style. You access the fields through functions
that
> either return str pointer or ints.
>
> Would something like this meet everyone's needs?
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list