[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Audit Parsing Library Requirements



I would also vote that we use the field names like they are passed in 
auditctl, as opposed to the options passed into ausearch.
So we would use
   ausearch_set_param("uid", "!=", "500");
rather than
   ausearch_set_param("ui", "!=500");

Steve Grubb <sgrubb redhat com> wrote on 03/09/2006 11:00:05 AM:

> On Thursday 09 March 2006 13:49, Debora Velarde wrote:
> > Not sure if ausearch supports this now, but I'm thinking of two use 
cases:
> > 1.  If I want to find all records where the auid is NOT 500
> > 2.  If I want to find all records where the gid is greater than 500.
> >
> > Could we then do:
> > ausearch_set_param("auid", "!=", "500");
> > ausearch_set_param("gid", ">", "500");
> 
> Sure, sounds fine to me since we are redefining the search engine.
> 
> -Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]