Audit Parsing Library Requirements
Steve Grubb
sgrubb at redhat.com
Thu Mar 9 19:00:05 UTC 2006
On Thursday 09 March 2006 13:49, Debora Velarde wrote:
> Not sure if ausearch supports this now, but I'm thinking of two use cases:
> 1. If I want to find all records where the auid is NOT 500
> 2. If I want to find all records where the gid is greater than 500.
>
> Could we then do:
> ausearch_set_param("auid", "!=", "500");
> ausearch_set_param("gid", ">", "500");
Sure, sounds fine to me since we are redefining the search engine.
-Steve
More information about the Linux-audit
mailing list