Audit Parsing Library Requirements

[Steve Grubb]

On Thursday 09 March 2006 12:03, Debora Velarde wrote:
> If I want to match on two params (say syscall name and group id) would I
> call ausearch_set_param twice or pass ausearch_set_param all my parameters
> in one call?  Can you post how you imagine the call to look like?

Yes, you would call it twice. I would expect it to take 2 params: name & 
value.

So you would likely do:
ausearch_set_param("syscall", "open");
ausearch_set_param("gid", "500");

-Steve