I 'll use auparse_reset() but from the description it's not clear if it will reset
the curson to the beginning to the current record ?
https://github.com/linux-audit/audit-userspace/blob/4e6deae41d4646d28bb3b...
150 static void handle_event(auparse_state_t *au,
151 auparse_cb_event_t cb_event_type, void *user_data)
152 {
153 int type, num = 0;
154 const char *perm;
155 while (auparse_goto_record_num(au, num) > 0) {
156 type = auparse_get_type(au);
157
158 switch (type) {
159 case AUDIT_AVC:
160 case AUDIT_USER_AVC:
161 perm = auparse_find_field(au, "permissive");
162 auparse_reset(au);
163 if (perm) {
164 if (*perm == '0') {
165 dump_avc_critical_record(au);
166 }
167 else if (*perm == '1') {
168 dump_avc_info_record(au);
169 }
170 }
171 else {
172 dump_avc_info_record(au);
173 }
174 break;
175 default:
176 dump_whole_record(au);
177 break;
178 }
179 num ++;
180 }
181 }