[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Audit Parsing Library Requirements




linux-audit-bounces redhat com wrote on 03/09/2006 10:06:47 AM:

> On Wednesday 08 March 2006 10:39, Steve Grubb wrote:
> > I'll take a hack at proposing an API and send it in a little while.
>
> OK, here's what I have:
>
> The audit library parser could have the following functions:
>
> auparse_init - allow init of library. Set data source: logs, file, buffer.
> ausearch_set_param - set search options


What sort of search options can you set? Are these basically the same that ausearch allows? If so, being able to search based on the value of any field would be useful for testing (although they might not be in a real-world application, e.g. a0).

> ausearch_next_event - traverse to the next event that yields a match based on
> search criteria.
> auparse_next_event - traverse to next event. This allows access to time and
> serial number.
> auparse_get_time - retrieve time stamp of current record
> auparse_get_serial - retrieve serial number of current record
> auparse_first_record - set iterator to first record in current event
> auparse_next_record - traverse to next record in event. This allows access to
> the event type

> auparse_get_type - retrieve type of current record
> auparse_first_field - set field pointer to first in current record
> auparse_next_field  - traverse the fields in a record
> auparse_find_field() - find a given field in a event or record
> auparse_find_field_next() - find the next occurance of that field inthe same
> record
> auparse_get_field_str - return current field value as a string
> auparse_get_field_int -  return current field value as an int

> auparse_interpret_field - interpret the current field as a string
> auparse_destroy - free all data structures and close file descriptors
>
> This would allow the following kind of programming:
>
> auparse_init
> ausearch_set_param
> while ausearch_next_event
>         if auparse_find_field
>                 auparse_interpret_field
>                 print out
>
>         ...
> auparse_destroy
>
> This is essentially how ausearch works.
>
> The data structures would be hidden from the external application. Access to
> fields is a name/value style. You access the fields through functions that
> either return str pointer or ints.
>
> Would something like this meet everyone's needs?
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit redhat com
> https://www.redhat.com/mailman/listinfo/linux-audit

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]