1AUSEARCH_ADD_INTERPRETED_ITEM(3)Linux Audit APIAUSEARCH_ADD_INTERPRETED_ITEM(3)
2
3
4

NAME

6       ausearch_add_interpreted_item - build up search rule
7

SYNOPSIS

9       #include <auparse.h>
10
11       int   ausearch_add_interpreted_item(auparse_state_t   *au,  const  char
12       *field, const char *op, const char *value, ausearch_rule_t how);
13
14

DESCRIPTION

16       ausearch_add_interpreted_item adds one search condition to the  current
17       audit search expression. The search conditions can then be used to scan
18       logs, files, or buffers for something of interest. The field  value  is
19       the  field  name  that  the  value will be checked for. The op variable
20       describes what kind of check is to be done. Legal op values are:
21
22
23              exists
24                      just check that a field name exists
25
26              =
27                      locate the field name and check that the  value  associ‐
28                     ated with it is equal to the value given in this rule.
29
30              !=
31                      locate  the  field name and check that the value associ‐
32                     ated with it is NOT equal to  the  value  given  in  this
33                     rule.
34
35       The  value  parameter  is  compared to the interpreted field value (the
36       value that would be returned by auparse_interpret_field(3)).
37
38       The how value determines how this  search  condition  will  affect  the
39       existing search expression if one is already defined. The possible val‐
40       ues are:
41
42              AUSEARCH_RULE_CLEAR
43                     Clear the current search expression, if any, and use only
44                     this search condition.
45
46              AUSEARCH_RULE_OR
47                     If  a  search expression E is already configured, replace
48                     it by (E || this_search_condition).
49
50              AUSEARCH_RULE_AND
51                     If a search expression E is already  configured,  replace
52                     it by (E && this_search_condition).
53
54

RETURN VALUE

56       Returns -1 if an error occurs; otherwise, 0 for success.
57
58

SEE ALSO

60       ausearch_add_expression(3),   ausearch_add_item(3),  ausearch_add_time‐
61       stamp_item(3),   ausearch_add_regex(3),   ausearch_set_stop(3),   ause‐
62       arch_clear(3), ausearch_next_event(3), ausearch-expression(5).
63
64

AUTHOR

66       Steve Grubb
67
68
69
70Red Hat                            Nov 2007   AUSEARCH_ADD_INTERPRETED_ITEM(3)
Impressum