Audit Parsing Library Requirements

Michael C Thompson mcthomps at us.ibm.com
Thu Mar 9 16:48:10 UTC 2006 

linux-audit-bounces at redhat.com wrote on 03/09/2006 10:06:47 AM:

> On Wednesday 08 March 2006 10:39, Steve Grubb wrote:
> > I'll take a hack at proposing an API and send it in a little while.
> 
> OK, here's what I have:
> 
> The audit library parser could have the following functions:
> 
> auparse_init - allow init of library. Set data source: logs, file, 
buffer.
> ausearch_set_param - set search options

What sort of search options can you set? Are these basically the same that 
ausearch allows? If so, being able to search based on the value of any 
field would be useful for testing (although they might not be in a 
real-world application, e.g. a0).

> ausearch_next_event - traverse to the next event that yields a match 
based on
> search criteria.
> auparse_next_event - traverse to next event. This allows access to time 
and
> serial number.
> auparse_get_time - retrieve time stamp of current record
> auparse_get_serial - retrieve serial number of current record
> auparse_first_record - set iterator to first record in current event
> auparse_next_record - traverse to next record in event. This allows 
access to
> the event type
> auparse_get_type - retrieve type of current record
> auparse_first_field - set field pointer to first in current record
> auparse_next_field  - traverse the fields in a record
> auparse_find_field() - find a given field in a event or record
> auparse_find_field_next() - find the next occurance of that field inthe 
same 
> record
> auparse_get_field_str - return current field value as a string
> auparse_get_field_int -  return current field value as an int
> auparse_interpret_field - interpret the current field as a string
> auparse_destroy - free all data structures and close file descriptors
> 
> This would allow the following kind of programming:
> 
> auparse_init
> ausearch_set_param
> while ausearch_next_event
>         if auparse_find_field
>                 auparse_interpret_field
>                 print out
> 
>         ...
> auparse_destroy
> 
> This is essentially how ausearch works.
> 
> The data structures would be hidden from the external application. 
Access to 
> fields is a name/value style. You access the fields through functions 
that 
> either return str pointer or ints.
> 
> Would something like this meet everyone's needs?
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060309/1d8fb967/attachment.htm>

More information about the Linux-audit mailing list