AUPARSE_ADD_CALLBACK(3) Linux Audit API AUPARSE_ADD_CALLBACK(3)NAME
auparse_add_callback - add a callback handler for notifications
SYNOPSIS
#include <auparse.h>
void
auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback,
void *user_data, user_destroy user_destroy_func);
DESCRIPTION
auparse_add_callback adds a callback function to the parse state which is invoked to notify the application of parsing events.
The signature of the callback is:
void
auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type,
void *user_data);
When the callback is invoked it is passed:
au
a pointer to the parse_state
cb_event_type
enumerated value indicating the reason why the callback was invoked
user_data
pointer to user supplied private data. May be NULL.
user_destroy_func
pointer to function called when user_data is destroyed. May be NULL. The signature is:
void destroy(void *user_data);
The destroy() function should be prepared to accept user_data possibly being NULL.
The cb_event_type argument indicates why the callback was invoked. It's possible values are:
AUPARSE_CB_EVENT_READY
A complete event has been parsed and is ready to be examined. This is logically equivalent to the parse state immediately following
auparse_next_event()
See auparse_feed(3) for a complete code example.
RETURN VALUE
Returns the previous callback pointer.
SEE ALSO auparse_feed(3), auparse_flush_feed(3).
AUTHOR
John Dennis
Red Hat May 2007 AUPARSE_ADD_CALLBACK(3)
Check Out this Related Man Page
AUPARSE_FEED(3) Linux Audit API AUPARSE_FEED(3)NAME
auparse_feed - feed data into parser
SYNOPSIS
#include <auparse.h>
int auparse_feed(auparse_state_t *au, const char *data, size_t data_len);
au The audit parse state
data a buffer of data to feed into the parser, it is data_len bytes long. The data is copied in the parser, upon return the caller may
free or reuse the data buffer.
data_len
number of bytes in data
DESCRIPTION
auparse_feed supplies new data for the parser to consume. auparse_init() must have been called with a source type of AUSOURCE_FEED and a
NULL pointer.
The parser consumes as much data as it can invoking a user supplied callback specified with auparse_add_callback with a cb_event_type of
AUPARSE_CB_EVENT_READY each time the parser recognizes a complete event in the data stream. Data not fully parsed will persist and be
prepended to the next feed data. After all data has been feed to the parser auparse_flush_feed should be called to signal the end of input
data and flush any pending parse data through the parsing system.
EXAMPLE
void
auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type,
void *user_data)
{
int *event_cnt = (int *)user_data;
if (cb_event_type == AUPARSE_CB_EVENT_READY) {
if (auparse_first_record(au) <= 0) return;
printf("event: %d
", *event_cnt);
printf("records:%d
", auparse_get_num_records(au));
do {
printf("fields:%d
", auparse_get_num_fields(au));
printf("type=%d ", auparse_get_type(au));
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL) return;
printf("event time: %u.%u:%lu
",
(unsigned)e->sec, e->milli, e->serial);
auparse_first_field(au);
do {
printf("%s=%s (%s)
", auparse_get_field_name(au),
auparse_get_field_str(au),
auparse_interpret_field(au));
} while (auparse_next_field(au) > 0);
printf("
");
} while(auparse_next_record(au) > 0);
(*event_cnt)++;
}
}
main(int argc, char **argv)
{
char *filename = argv[1];
FILE *fp;
char buf[256];
size_t len;
int *event_cnt = malloc(sizeof(int));
au = auparse_init(AUSOURCE_FEED, 0);
*event_cnt = 1;
auparse_add_callback(au, auparse_callback, event_cnt, free);
if ((fp = fopen(filename, "r")) == NULL) {
fprintf(stderr, "could not open '%s', %s
", filename, strerror(errno));
return 1;
}
while ((len = fread(buf, 1, sizeof(buf), fp))) {
auparse_feed(au, buf, len);
}
auparse_flush_feed(au);
}
RETURN VALUE
Returns -1 if an error occurs; otherwise, 0 for success.
SEE ALSO auparse_add_callback(3), auparse_flush_feed(3), auparse_feed_has_data(3)AUTHOR
John Dennis
Red Hat May 2007 AUPARSE_FEED(3)