auparse question

[Steve Grubb]

On Tuesday, August 30, 2011 07:18:02 PM Miloslav Trmac wrote:
> ----- Original Message -----
> > I'm using auparse_get_field_type from the parse lib.
> > The return value for error is "0" which is also that of the AUDIT_PID
> > field.
> > 
> > Right? I am getting some errors that thought they were PIDs.
> 
> The return value of auparse_get_field_type() is a value from auparse_type_t
> defined in auparse-defs.h.

Right. AUDIT_PID is an event record type which would be returned by 
auparse_get_type(). If you look in auparse.h, you can see the groupings of functions 
that access event level, record level, and field level components.


> 0 is AUPARSE_TYPE_UNCLASSIFIED (i.e. "there is
> no current field, or we don't know what kind of data is in the field"). 

Yes, but the intent of AUPARSE_TYPE_UNCLASSIFIED is to say that the field contains data 
that needs no special cross reference or conversion to be human readable (or as you 
say we don't know about the field). This is different from returning something to say 
that you are not pointed at a valid field - i.e. you ran off the end. From what I can 
tell, you can only get the error if you are moving the internal pointer around without 
checking return codes. There really is an unintended API mistake in there. :)


> AUPARSE_TYPE_* and the AUDIT_* field enums both deal with fields, but are
> distinct.  It is somewhat confusing I'm afraid.

Maybe looking at the auparse.h file clarifies a few things since they are grouped?

-Steve