RE: Audit Parsing Library Requirements
Functions
---------
auparse_state_t - is an opaque data type used for maintaining library
state.
typedef enum { AUSOURCE_LOGS, AUSOURCE_FILE, AUSOURCE_BUFFER } ausource_t;
auparse_state_t *auparse_init(ausource_t source, const void *b) - allow
init
of library. Set data source: logs, file, buffer. The pointer 'b' is used
to
set the file name or pass the buff when those types are given.
If I have a bunch of collected log files from around the network in my
sysadmins home directory, I want to view all these files together and maybe
with different filters (this is the seaudit GUI). Can we make
auparse_init() support multiple files specified manually?
Example:
char ** files = { "/home/admin/log1", "/home/admin/log2", NULL };
ausearch_init(AUSOURCE_FILES, files)
typedef enum { AUSEARCH_STOP_EVENT, AUSEARCH_STOP_RECORD,
AUSEARCH_STOP_FIELD } austop_t;
int ausearch_set_param(auparse_state_t *au, const char *field, const char
*op,
const char *value, austop_t where) - set search
options. The field would be the left hand side of the audit name/value
pairs.
I am a bit confused about the capabilities provided above. Can I make an
array of these auparse_state_t objects and maintain several different search
"views" on the library iterating over each view independently? This would
seem ideal.
The op would be how to match: =,!=,>,<. The value would be the
right hand
side of the audit field name/value pairs. The where parameter tells the
search library where to place the internal cursor when a match is found.
It
could be on first field of first record, first field of record containing
the
match, or the field that matches.
Kevin Carr
Tresys Technology
410.290.1411 x137