1AUSEARCH_ADD_expression(3)      Linux Audit API     AUSEARCH_ADD_expression(3)
2
3
4

NAME

6       ausearch_add_expression - build up search expression
7

SYNOPSIS

9       #include <auparse.h>
10
11       int  ausearch_add_expression(auparse_state_t  *au,  const char *expres‐
12       sion, char **error, ausearch_rule_t how);
13
14

DESCRIPTION

16       ausearch_add_item adds  an  expression  to  the  current  audit  search
17       expression.   The  search  conditions  can  then  be used to scan logs,
18       files, or buffers for something of interest.  The expression  parameter
19       contains an expression, as specified in ausearch-expression(5).
20
21       The how parameter determines how this search expression will affect the
22       existing search expression, if one is already  defined.   The  possible
23       values are:
24
25              AUSEARCH_RULE_CLEAR
26                     Clear the current search expression, if any, and use only
27                     this search expression.
28
29              AUSEARCH_RULE_OR
30                     If a search expression E is already  configured,  replace
31                     it by (E || this_search_expression).
32
33              AUSEARCH_RULE_AND
34                     If  a  search expression E is already configured, replace
35                     it by (E && this_search_expression).
36
37

RETURN VALUE

39       If  successful,  ausearch_add_expression  returns  0.   Otherwise,   it
40       returns  -1,  sets errno and it may set *error to an error message; the
41       caller must free the error message using free(3).  If an error  message
42       is not available or can not be allocated, *error is set to NULL.
43
44

SEE ALSO

46       ausearch_add_item(3),      ausearch_add_interpreted_item(3),      ause‐
47       arch_add_timestamp_item(3),        ausearch_add_regex(3),         ause‐
48       arch_set_stop(3),   ausearch_clear(3),   ausearch_next_event(3),  ause‐
49       arch-expression(5).
50
51

AUTHOR

53       Miloslav Trmac
54
55
56
57Red Hat                            Feb 2008         AUSEARCH_ADD_expression(3)
Impressum