Re: Audit Parsing Library Requirements
On Monday 13 March 2006 12:00, Kevin Carr wrote:
If I have a bunch of collected log files from around the network in
my
sysadmins home directory, I want to view all these files together and maybe
with different filters (this is the seaudit GUI). Can we make
auparse_init() support multiple files specified manually?
I suppose. I'll add that to the spec.
> int ausearch_set_param(auparse_state_t *au, const char *field,
const char
> *op,
> const char *value, austop_t where) - set search
> options. The field would be the left hand side of the audit name/value
> pairs.
I am a bit confused about the capabilities provided above. Can I make an
array of these auparse_state_t objects and maintain several different
search "views" on the library iterating over each view independently? This
would seem ideal.
I think the answer is Yes. Each state would be a search or iteration instance.
They could be searching different files or have different search parameters.
I think the analogy that was used previously was to think of them as "FILE
*". Using that analogy, a program can have multiple FILE *, each unique since
they have their own fopen call which initializes the resources and state.
auparse_init would be equivalent to fopen in this analogy.
-Steve