1AUPARSE_FEED(3)                 Linux Audit API                AUPARSE_FEED(3)
2
3
4

NAME

6       auparse_feed - feed data into parser
7

SYNOPSIS

9       #include <auparse.h>
10
11       int auparse_feed(auparse_state_t *au, const char *data, size_t data_len);
12
13
14       au     The audit parse state
15
16       data   a  buffer  of data to feed into the parser, it is data_len bytes
17              long. The data is copied in the parser, upon return  the  caller
18              may free or reuse the data buffer.
19
20       data_len
21              number of bytes in data
22
23

DESCRIPTION

25       auparse_feed  supplies  new  data  for  the  parser  to  consume.   au‐
26       parse_init() must have been called with a source type of  AUSOURCE_FEED
27       and a NULL pointer.
28
29       The  parser  consumes  as  much data as it can invoking a user supplied
30       callback specified with auparse_add_callback with  a  cb_event_type  of
31       AUPARSE_CB_EVENT_READY each time the parser recognizes a complete event
32       in the data stream. Data not fully parsed will persist and be prepended
33       to  the  next feed data. After all data has been feed to the parser au‐
34       parse_flush_feed should be called to signal the end of input  data  and
35       flush any pending parse data through the parsing system.
36
37

RETURN VALUE

39       Returns -1 if an error occurs; otherwise, 0 for success.
40
41

EXAMPLE

43       void
44       auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type,
45                        void *user_data)
46       {
47           int *event_cnt = (int *)user_data;
48
49           if (cb_event_type == AUPARSE_CB_EVENT_READY) {
50               if (auparse_first_record(au) <= 0) return;
51               printf("event: %d\n", *event_cnt);
52               printf("records:%d\n", auparse_get_num_records(au));
53               do {
54                   printf("fields:%d\n", auparse_get_num_fields(au));
55                   printf("type=%d ", auparse_get_type(au));
56                   const au_event_t *e = auparse_get_timestamp(au);
57                   if (e == NULL) return;
58                   printf("event time: %lu.%u:%lu\n",
59                           (long unsigned)e->sec, e->milli, e->serial);
60                   auparse_first_field(au);
61                   do {
62                       printf("%s=%s (%s)\n", auparse_get_field_name(au),
63                              auparse_get_field_str(au),
64                              auparse_interpret_field(au));
65                   } while (auparse_next_field(au) > 0);
66                   printf("\n");
67
68               } while(auparse_next_record(au) > 0);
69               (*event_cnt)++;
70           }
71       }
72
73       main(int argc, char **argv)
74       {
75           char *filename = argv[1];
76           FILE *fp;
77           char buf[256];
78           size_t len;
79           int *event_cnt = malloc(sizeof(int));
80
81           au = auparse_init(AUSOURCE_FEED, 0);
82           auparse_set_eoe_timeout(2);
83
84           *event_cnt = 1;
85           auparse_add_callback(au, auparse_callback, event_cnt, free);
86
87           if ((fp = fopen(filename, "r")) == NULL) {
88               fprintf(stderr, "could not open '%s', %s\n", filename, strerror(errno));
89               return 1;
90           }
91
92           while ((len = fread(buf, 1, sizeof(buf), fp))) {
93               auparse_feed(au, buf, len);
94           }
95           auparse_flush_feed(au);
96           auparse_destroy(au);
97       }
98
99

SEE ALSO

101       auparse_add_callback(3),           auparse_flush_feed(3),           au‐
102       parse_feed_age_events(3), auparse_feed_has_data(3)
103
104
105

AUTHOR

107       John Dennis
108
109
110
111Red Hat                            Aug 2023                    AUPARSE_FEED(3)
Impressum