1AUSEARCH_ADD_EXPRESSION(3) Linux Audit API AUSEARCH_ADD_EXPRESSION(3)
2
6 ausearch_add_expression - build up search expression
7
9 #include <auparse.h>
10 int ausearch_add_expression(auparse_state_t *au, const char *expres‐
12 sion, char **error, ausearch_rule_t how);
13
16 ausearch_add_item adds an expression to the current audit search ex‐
17 pression. The search conditions can then be used to scan logs, files,
18 or buffers for something of interest. The expression parameter con‐
19 tains an expression, as specified in ausearch-expression(5).
20 The how parameter determines how this search expression will affect the
22 existing search expression, if one is already defined. The possible
23 values are:
24 AUSEARCH_RULE_CLEAR
26 Clear the current search expression, if any, and use only
27 this search expression.
28 AUSEARCH_RULE_OR
30 If a search expression E is already configured, replace
31 it by (E || this_search_expression).
32 AUSEARCH_RULE_AND
34 If a search expression E is already configured, replace
35 it by (E && this_search_expression).
36
39 If successful, ausearch_add_expression returns 0. Otherwise, it re‐
40 turns -1, sets errno and it may set *error to an error message; the
41 caller must free the error message using free(3). If an error message
42 is not available or can not be allocated, *error is set to NULL.
43
46 ausearch_add_item(3), ausearch_add_interpreted_item(3), ause‐
47 arch_add_timestamp_item(3), ausearch_add_regex(3), ause‐
48 arch_set_stop(3), ausearch_clear(3), ausearch_next_event(3), ause‐
49 arch-expression(5).
50
53 Miloslav Trmac
54Red Hat Feb 2008 AUSEARCH_ADD_EXPRESSION(3)