#include<stdio.h>
#include<unistd.h>
#include<auparse.h>
#include<stdlib.h>
#include "libaudit.h"
#include<unistd.h>
#include<fcntl.h>
#include<time.h>
int main(void)
{
char *data;
int i=0;
data="type=USER_ACCT msg=audit(1200638450.722:15): user pid=2156 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=root exe=\"/usr/sbin/gdm-binary\" (hostname=?, addr=?, terminal=:0 res=success)'\0";
auparse_state_t *au = auparse_init(AUSOURCE_BUFFER,data);
if (au == NULL)
{ printf("hi eroror \n");
exit(1);
}
//ADDING RULES
if (!ausearch_add_item(au, "a0", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "a1", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "a2", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "a3", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "a4", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "acct", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "addr", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "arch", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "audit_backlog_limit", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "audit_enabled", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "audit_failure", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "auid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "comm", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "cwd", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "dev", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "egid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "euid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "exe", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "exit", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "file", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "flags", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "format", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "fsgid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "fsuid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "gid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "hostname", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "id", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "inode", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "inode_gid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "inode_uid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "item", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "items", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "list", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "mode", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "msg", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "nargs", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "name", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "obj", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "ogid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "old", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "old_prom", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "op", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "ouid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "parent", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "path", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "perm", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "perm_mask", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "pid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "prom", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "qbytes", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "range", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "rdev", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "res", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "result", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "role", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "saddr", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "sauid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "scontext", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "seuser", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "sgid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "spid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "subj", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "success", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "suid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "syscall", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "tclass", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "tcontext", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "terminal", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "tty", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "type", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "uid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "user", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "ver", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "watch", "!=", "NULL", AUSEARCH_RULE_OR)) {}
auparse_next_event(au);
if (auparse_find_field(au, "auid")) {
printf("auid=%s\n", auparse_get_field_str(au));
}
if (auparse_find_field(au, "hostname")) {
printf("hostname=%s\n", auparse_get_field_str(au));
}
auparse_destroy(au);
return 0;
}
Same code tried with file pointer is working properly that is auparse_init(AUSOURCE_FILE_POINTER, <<File Pointer>>).
But when tried with buffer is neither giving output nor error. auparse_init(AUSOURCE_BUFFER, <<buffer address>>).