Audit Parsing Library Requirements
Debora Velarde
dvelarde at us.ibm.com
Thu Mar 9 18:49:08 UTC 2006
Not sure if ausearch supports this now, but I'm thinking of two use cases:
1. If I want to find all records where the auid is NOT 500
2. If I want to find all records where the gid is greater than 500.
Could we then do:
ausearch_set_param("auid", "!=", "500");
ausearch_set_param("gid", ">", "500");
Steve Grubb <sgrubb at redhat.com> wrote on 03/09/2006 09:08:05 AM:
> On Thursday 09 March 2006 12:03, Debora Velarde wrote:
> > If I want to match on two params (say syscall name and group id) would
I
> > call ausearch_set_param twice or pass ausearch_set_param all my
parameters
> > in one call? Can you post how you imagine the call to look like?
>
> Yes, you would call it twice. I would expect it to take 2 params: name &
> value.
>
> So you would likely do:
> ausearch_set_param("syscall", "open");
> ausearch_set_param("gid", "500");
>
> -Steve
More information about the Linux-audit
mailing list