Re: Audit Parsing Library Requirements

On Wednesday 08 March 2006 10:39, Steve Grubb wrote: > I'll take a hack at proposing an API and send it in a little while. OK, here's what I have: The audit library parser could have the following functions: auparse_init - allow init of library. Set data source: logs, file,

ausearch_set_param - set search options

ausearch_next_event - traverse to the next event that yields a match

search criteria. auparse_next_event - traverse to next event. This allows access to time

serial number. auparse_get_time - retrieve time stamp of current record auparse_get_serial - retrieve serial number of current record auparse_first_record - set iterator to first record in current event auparse_next_record - traverse to next record in event. This allows

the event type auparse_get_type - retrieve type of current record auparse_first_field - set field pointer to first in current record auparse_next_field - traverse the fields in a record auparse_find_field() - find a given field in a event or record auparse_find_field_next() - find the next occurance of that field inthe

record auparse_get_field_str - return current field value as a string auparse_get_field_int - return current field value as an int auparse_interpret_field - interpret the current field as a string auparse_destroy - free all data structures and close file descriptors This would allow the following kind of programming: auparse_init ausearch_set_param while ausearch_next_event if auparse_find_field auparse_interpret_field print out ... auparse_destroy This is essentially how ausearch works. The data structures would be hidden from the external application.

fields is a name/value style. You access the fields through functions

either return str pointer or ints. Would something like this meet everyone's needs? -Steve -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit