AUPARSE_INIT(3) Linux Audit API AUPARSE_INIT(3)NAME
auparse_init - initialize an instance of the audit parsing library
SYNOPSIS
#include <auparse.h>
auparse_state_t *auparse_init(ausource_t source, const void *b);
DESCRIPTION
auparse_init initializes an instance of the audit parsing library. The function returns an opaque pointer to the parser's internal state.
It is used in subsequent calls to the library so. The source variable determines where the library looks for data. Legal values can be:
AUSOURCE_LOGS - use audit logs
AUSOURCE_FILE - use a file
AUSOURCE_FILE_ARRAY - use several files
AUSOURCE_BUFFER - use a buffer
AUSOURCE_BUFFER_ARRAY - use an array of buffers
AUSOURCE_DESCRIPTOR - use a particular descriptor
AUSOURCE_FILE_POINTER - use a stdio FILE pointer
AUSOURCE_FEED - feed data to parser with auparse_feed()
The pointer 'b' is used to set the file name, array of filenames, the buffer address, or an array of pointers to buffers, or the descriptor
number based on what source is given. When the data source is an array of files or buffers, you would create an array of pointers with the
last one being a NULL pointer. Buffers should be NUL terminated.
RETURN VALUE
Returns a NULL pointer if an error occurs; otherwise, the return value is an aopaque pointer to the parser's internal state.
SEE ALSO auparse_reset(3), auparse_destroy(3). auparse_feed(3).
AUTHOR
Steve Grubb
Red Hat Feb 2007 AUPARSE_INIT(3)
Check Out this Related Man Page
AUPARSE_FEED(3) Linux Audit API AUPARSE_FEED(3)NAME
auparse_feed - feed data into parser
SYNOPSIS
#include <auparse.h>
int auparse_feed(auparse_state_t *au, const char *data, size_t data_len);
au The audit parse state
data a buffer of data to feed into the parser, it is data_len bytes long. The data is copied in the parser, upon return the caller may
free or reuse the data buffer.
data_len
number of bytes in data
DESCRIPTION
auparse_feed supplies new data for the parser to consume. auparse_init() must have been called with a source type of AUSOURCE_FEED and a
NULL pointer.
The parser consumes as much data as it can invoking a user supplied callback specified with auparse_add_callback with a cb_event_type of
AUPARSE_CB_EVENT_READY each time the parser recognizes a complete event in the data stream. Data not fully parsed will persist and be
prepended to the next feed data. After all data has been feed to the parser auparse_flush_feed should be called to signal the end of input
data and flush any pending parse data through the parsing system.
EXAMPLE
void
auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type,
void *user_data)
{
int *event_cnt = (int *)user_data;
if (cb_event_type == AUPARSE_CB_EVENT_READY) {
if (auparse_first_record(au) <= 0) return;
printf("event: %d
", *event_cnt);
printf("records:%d
", auparse_get_num_records(au));
do {
printf("fields:%d
", auparse_get_num_fields(au));
printf("type=%d ", auparse_get_type(au));
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL) return;
printf("event time: %u.%u:%lu
",
(unsigned)e->sec, e->milli, e->serial);
auparse_first_field(au);
do {
printf("%s=%s (%s)
", auparse_get_field_name(au),
auparse_get_field_str(au),
auparse_interpret_field(au));
} while (auparse_next_field(au) > 0);
printf("
");
} while(auparse_next_record(au) > 0);
(*event_cnt)++;
}
}
main(int argc, char **argv)
{
char *filename = argv[1];
FILE *fp;
char buf[256];
size_t len;
int *event_cnt = malloc(sizeof(int));
au = auparse_init(AUSOURCE_FEED, 0);
*event_cnt = 1;
auparse_add_callback(au, auparse_callback, event_cnt, free);
if ((fp = fopen(filename, "r")) == NULL) {
fprintf(stderr, "could not open '%s', %s0, filename, strerror(errno));
return 1;
}
while ((len = fread(buf, 1, sizeof(buf), fp))) {
auparse_feed(au, buf, len);
}
auparse_flush_feed(au);
}
RETURN VALUE
Returns -1 if an error occurs; otherwise, 0 for success.
SEE ALSO auparse_add_callback(3), auparse_flush_feed(3)AUTHOR
John Dennis
Red Hat May 2007 AUPARSE_FEED(3)