1AUSEARCH_ADD_TIMESTAMP_ITEM(3) Linux Audit API AUSEARCH_ADD_TIMESTAMP_ITEM(3)
2
3
4
6 ausearch_add_timestamp_item - build up search rule
7
9 #include <auparse.h>
10
11 int ausearch_add_timestamp_item(auparse_state_t *au, const char *op,
12 time_t sec, unsigned milli, ausearch_rule_t how)
13
14
16 ausearch_add_timestamp_item adds an event time condition to the current
17 audit search expression. The search conditions can then be used to scan
18 logs, files, or buffers for something of interest. The op parameter
19 specifies the desired comparison. Legal op values are <, <=, >=, > and
20 =. The left operand of the comparison operator is the timestamp of the
21 examined event, the right operand is specified by the sec and milli
22 parameters.
23
24 The how value determines how this search condition will affect the
25 existing search expression if one is already defined. The possible val‐
26 ues are:
27
28 AUSEARCH_RULE_CLEAR
29 Clear the current search expression, if any, and use only
30 this search condition.
31
32 AUSEARCH_RULE_OR
33 If a search expression E is already configured, replace
34 it by (E || this_search_condition).
35
36 AUSEARCH_RULE_AND
37 If a search expression E is already configured, replace
38 it by (E && this_search_condition).
39
40
42 Returns -1 if an error occurs; otherwise, 0 for success.
43
44
46 Use ausearch_add_item(3) and ausearch_add_interpreted_item(3) to add
47 conditions that check audit record fields. Use ausearch_add_expres‐
48 sion(3) to add complex search expressions using a single function call.
49
50
52 ausearch_add_expression(3), ausearch_add_item(3), ausearch_add_inter‐
53 preted_item(3), ausearch_add_regex(3), ausearch_set_stop(3), ause‐
54 arch_clear(3), ausearch_next_event(3), ausearch-expression(5).
55
56
58 Miloslav Trmac
59
60
61
62Red Hat Nov 2007 AUSEARCH_ADD_TIMESTAMP_ITEM(3)