Re: Audit Parsing Library Requirements

On Wednesday 08 March 2006 10:39, Steve Grubb wrote: OK, here's what I have: The audit library parser could have the following functions: auparse_init - allow init of library. Set data source: logs, file, buffer. ausearch_set_param - set search options ausearch_next_event - traverse to the next event that yields a match based on search criteria. auparse_next_event - traverse to next event. This allows access to time and serial number. auparse_get_time - retrieve time stamp of current record auparse_get_serial - retrieve serial number of current record auparse_first_record - set iterator to first record in current event auparse_next_record - traverse to next record in event. This allows access to the event type auparse_get_type - retrieve type of current record auparse_first_field - set field pointer to first in current record auparse_next_field - traverse the fields in a record auparse_find_field() - find a given field in a event or record auparse_find_field_next() - find the next occurance of that field in the same record auparse_get_field_str - return current field value as a string auparse_get_field_int - return current field value as an int auparse_interpret_field - interpret the current field as a string auparse_destroy - free all data structures and close file descriptors This would allow the following kind of programming: auparse_init ausearch_set_param while ausearch_next_event if auparse_find_field auparse_interpret_field print out ... auparse_destroy This is essentially how ausearch works. The data structures would be hidden from the external application. Access to fields is a name/value style. You access the fields through functions that either return str pointer or ints. Would something like this meet everyone's needs? -Steve