1AUSEARCH_ADD_ITEM(3)            Linux Audit API           AUSEARCH_ADD_ITEM(3)
2
3
4

NAME

6       ausearch_add_item - build up search rule
7

SYNOPSIS

9       #include <auparse.h>
10
11       int  ausearch_add_item(auparse_state_t  *au,  const  char *field, const
12       char *op, const char *value, ausearch_rule_t how);
13
14

DESCRIPTION

16       ausearch_add_item adds one search condition to the current audit search
17       expression. The search conditions can then be used to scan logs, files,
18       or buffers for something of interest. The field value is the field name
19       that the value will be checked for. The op variable describes what kind
20       of check is to be done. Legal op values are:
21
22
23              exists
24                      just check that a field name exists
25
26              =
27                      locate the field name and check that the  value  associ‐
28                     ated with it is equal to the value given in this rule.
29
30              !=
31                      locate  the  field name and check that the value associ‐
32                     ated with it is NOT equal to  the  value  given  in  this
33                     rule.
34
35       The  value  parameter  is compared to the uninterpreted field value. If
36       you  are  trying   to   match   against   a   field   who's   type   is
37       AUPARSE_TYPE_ESCAPED,  you  will  want  to  use the ausearch_add_inter‐
38       preted_item() function instead.
39
40       The how value determines how this  search  condition  will  affect  the
41       existing search expression if one is already defined. The possible val‐
42       ues are:
43
44              AUSEARCH_RULE_CLEAR
45                     Clear the current search expression, if any, and use only
46                     this search condition.
47
48              AUSEARCH_RULE_OR
49                     If  a  search expression E is already configured, replace
50                     it by (E || this_search_condition).
51
52              AUSEARCH_RULE_AND
53                     If a search expression E is already  configured,  replace
54                     it by (E && this_search_condition).
55
56

RETURN VALUE

58       Returns -1 if an error occurs; otherwise, 0 for success.
59
60

SEE ALSO

62       ausearch_add_expression(3),   ausearch_add_interpreted_item(3),   ause‐
63       arch_add_timestamp_item(3),        ausearch_add_regex(3),         ause‐
64       arch_set_stop(3),   ausearch_clear(3),   ausearch_next_event(3),  ause‐
65       arch-expression(5).
66
67

AUTHOR

69       Steve Grubb
70
71
72
73Red Hat                            Feb 2012               AUSEARCH_ADD_ITEM(3)
Impressum