Re: audit plugin for AVC and USER_AVC messages

ok Thanks I 'll try the multithreading . I have one more thing that I want to acheive using the handle_event I want to print the logs with different severity based on TYPE and permissive set to 1 or 0 . SO my sample code is like below. When I use the API "auparse_find_field" , does it move the pointer to the field value permanently ? Do I need to reset the pointer before I pass the "au" to next function ? static void handle_event(auparse_state_t *au, 151 auparse_cb_event_t cb_event_type, void *user_data) 152 { 153 int type, num = 0; 154 155 if (cb_event_type != AUPARSE_CB_EVENT_READY) 156 return; 157 158 while (auparse_goto_record_num(au, num) > 0) { 159 type = auparse_get_type(au); 160 const char *perm = auparse_find_field(au, "permissive"); 161 162 switch (type) { 163 case AUDIT_AVC: 164 case AUDIT_USER_AVC: 165 if (perm) { 166 if (strncmp(perm, "0", 1) == 0) { 167 dump_avc_critical_record(au); 168 } 169 else if (strncmp(perm, "1", 1) == 0) { 170 dump_avc_info_record(au); 171 } 172 } 173 else { 174 dump_avc_info_record(au); 175 } 176 break; 177 default: 178 dump_whole_record(au); 179 break; 180 } 181 num ++; 182 } 183 }