Audit Parsing Library Requirements
Steve Grubb
sgrubb at redhat.com
Mon Mar 13 17:09:44 UTC 2006
On Monday 13 March 2006 12:00, Kevin Carr wrote:
> If I have a bunch of collected log files from around the network in my
> sysadmins home directory, I want to view all these files together and maybe
> with different filters (this is the seaudit GUI). Can we make
> auparse_init() support multiple files specified manually?
I suppose. I'll add that to the spec.
> > int ausearch_set_param(auparse_state_t *au, const char *field, const char
> > *op,
> > const char *value, austop_t where) - set search
> > options. The field would be the left hand side of the audit name/value
> > pairs.
>
> I am a bit confused about the capabilities provided above. Can I make an
> array of these auparse_state_t objects and maintain several different
> search "views" on the library iterating over each view independently? This
> would seem ideal.
I think the answer is Yes. Each state would be a search or iteration instance.
They could be searching different files or have different search parameters.
I think the analogy that was used previously was to think of them as "FILE
*". Using that analogy, a program can have multiple FILE *, each unique since
they have their own fopen call which initializes the resources and state.
auparse_init would be equivalent to fopen in this analogy.
-Steve
More information about the Linux-audit
mailing list