centos man page for auparse_feed

Centos Man Pages All Man Pages Latest Topics Forum Categories

Query: auparse_feed

OS: centos

Section: 3

Format: Original Unix Latex Style Formatted with HTML and a Horizontal Scroll Bar

AUPARSE_FEED(3) 						  Linux Audit API						   AUPARSE_FEED(3)


NAME

       auparse_feed - feed data into parser


SYNOPSIS

       #include <auparse.h>

       int auparse_feed(auparse_state_t *au, const char *data, size_t data_len);

       au     The audit parse state

       data   a  buffer  of  data to feed into the parser, it is data_len bytes long. The data is copied in the parser, upon return the caller may
	      free or reuse the data buffer.

       data_len
	      number of bytes in data


DESCRIPTION

       auparse_feed supplies new data for the parser to consume.  auparse_init() must have been called with a source type of AUSOURCE_FEED  and  a
       NULL pointer.

       The  parser  consumes  as much data as it can invoking a user supplied callback specified with auparse_add_callback with a cb_event_type of
       AUPARSE_CB_EVENT_READY each time the parser recognizes a complete event in the data stream. Data not  fully  parsed  will  persist  and	be
       prepended  to the next feed data. After all data has been feed to the parser auparse_flush_feed should be called to signal the end of input
       data and flush any pending parse data through the parsing system.


EXAMPLE

       void
       auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type,
			void *user_data)
       {
	   int *event_cnt = (int *)user_data;

	   if (cb_event_type == AUPARSE_CB_EVENT_READY) {
	       if (auparse_first_record(au) <= 0) return;
	       printf("event: %d
", *event_cnt);
	       printf("records:%d
", auparse_get_num_records(au));
	       do {
		   printf("fields:%d
", auparse_get_num_fields(au));
		   printf("type=%d ", auparse_get_type(au));
		   const au_event_t *e = auparse_get_timestamp(au);
		   if (e == NULL) return;
		   printf("event time: %u.%u:%lu
",
			   (unsigned)e->sec, e->milli, e->serial);
		   auparse_first_field(au);
		   do {
		       printf("%s=%s (%s)
", auparse_get_field_name(au),
			      auparse_get_field_str(au),
			      auparse_interpret_field(au));
		   } while (auparse_next_field(au) > 0);
		   printf("
");

	       } while(auparse_next_record(au) > 0);
	       (*event_cnt)++;
	   }
       }

       main(int argc, char **argv)
       {
	   char *filename = argv[1];
	   FILE *fp;
	   char buf[256];
	   size_t len;
	   int *event_cnt = malloc(sizeof(int));

	   au = auparse_init(AUSOURCE_FEED, 0);

	   *event_cnt = 1;
	   auparse_add_callback(au, auparse_callback, event_cnt, free);

	   if ((fp = fopen(filename, "r")) == NULL) {
	       fprintf(stderr, "could not open '%s', %s
", filename, strerror(errno));
	       return 1;
	   }

	   while ((len = fread(buf, 1, sizeof(buf), fp))) {
	       auparse_feed(au, buf, len);
	   }
	   auparse_flush_feed(au);
       }


RETURN VALUE

       Returns -1 if an error occurs; otherwise, 0 for success.


SEE ALSO

       auparse_add_callback(3), auparse_flush_feed(3), auparse_feed_has_data(3)


AUTHOR

       John Dennis

Red Hat 							     May 2007							   AUPARSE_FEED(3)
Related Man Pages
auparse_feed(3) - debian
gfs_pio_gets(3) - debian
iv_examples(3) - debian
auparse_feed(3) - suse
sha224_data(3) - netbsd
Similar Topics in the Unix Linux Community
Weird 'find' results
Best performance UNIX just for HOST Virtualization?
DB2 convert digits to binary format
CentOS7 restoring file capabilities
Docker learning Phase-I