Audit Parsing Library Requirements
Kevin Carr
kcarr at tresys.com
Mon Mar 13 17:00:12 UTC 2006
> Functions
> ---------
> auparse_state_t - is an opaque data type used for maintaining library
> state.
>
> typedef enum { AUSOURCE_LOGS, AUSOURCE_FILE, AUSOURCE_BUFFER } ausource_t;
>
> auparse_state_t *auparse_init(ausource_t source, const void *b) - allow
> init
> of library. Set data source: logs, file, buffer. The pointer 'b' is used
> to
> set the file name or pass the buff when those types are given.
If I have a bunch of collected log files from around the network in my
sysadmins home directory, I want to view all these files together and maybe
with different filters (this is the seaudit GUI). Can we make
auparse_init() support multiple files specified manually?
Example:
char ** files = { "/home/admin/log1", "/home/admin/log2", NULL };
ausearch_init(AUSOURCE_FILES, files)
>
> typedef enum { AUSEARCH_STOP_EVENT, AUSEARCH_STOP_RECORD,
> AUSEARCH_STOP_FIELD } austop_t;
>
> int ausearch_set_param(auparse_state_t *au, const char *field, const char
> *op,
> const char *value, austop_t where) - set search
> options. The field would be the left hand side of the audit name/value
> pairs.
I am a bit confused about the capabilities provided above. Can I make an
array of these auparse_state_t objects and maintain several different search
"views" on the library iterating over each view independently? This would
seem ideal.
> The op would be how to match: =,!=,>,<. The value would be the right hand
> side of the audit field name/value pairs. The where parameter tells the
> search library where to place the internal cursor when a match is found.
> It
> could be on first field of first record, first field of record containing
> the
> match, or the field that matches.
Kevin Carr
Tresys Technology
410.290.1411 x137
More information about the Linux-audit
mailing list