File: ausearch_add_expression.3

package info (click to toggle)
audit 1:2.4-1
  • links: PTS, VCS
  • area: main
  • in suites: jessie, jessie-backports, jessie-kfreebsd
  • size: 5,308 kB
  • ctags: 5,589
  • sloc: ansic: 47,383; sh: 11,886; python: 1,949; makefile: 824
file content (71 lines) | stat: -rw-r--r-- 1,773 bytes parent folder | download | duplicates (7)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
.TH "AUSEARCH_ADD_expression" "3" "Feb 2008" "Red Hat" "Linux Audit API"
.SH NAME
ausearch_add_expression \- build up search expression
.SH "SYNOPSIS"
.B #include <auparse.h>

\fBint ausearch_add_expression(auparse_state_t *\fIau\fB,
const char *\fIexpression\fB, char **\fIerror\fB, ausearch_rule_t \fIhow\fB);\fR

.SH "DESCRIPTION"

.B ausearch_add_item
adds an expression to the current audit search expression.
The search conditions can then be used to scan logs, files, or buffers
for something of interest.
The
.I expression
parameter contains an expression, as specified in
.BR ausearch\-expression (5).

The
.I how
parameter determines
how this search expression will affect the existing search expression,
if one is already defined.
The possible values are:
.RS
.TP
.I AUSEARCH_RULE_CLEAR
Clear the current search expression, if any,
and use only this search expression.
.TP
.I AUSEARCH_RULE_OR
If a search expression
.I E
is already configured,
replace it by \fB(\fIE\fB || \fIthis_search_expression\fB)\fR.
.TP
.I AUSEARCH_RULE_AND
If a search expression
.I E
is already configured,
replace it by \fB(\fIE\fB && \fIthis_search_expression\fB)\fR.
.RE

.SH "RETURN VALUE"

If successful, 
.B ausearch_add_expression
returns 0.
Otherwise, it returns \-1, sets
.B errno
and it may set \fB*\fIerror\fR to an error message;
the caller must free the error message using
.BR free (3).
If an error message is not available or can not be allocated, \fB*\fIerror\fR
is set to \fBNULL\fR.

.SH "SEE ALSO"

.BR ausearch_add_item (3),
.BR ausearch_add_interpreted_item (3),
.BR ausearch_add_timestamp_item (3),
.BR ausearch_add_regex (3),
.BR ausearch_set_stop (3),
.BR ausearch_clear (3),
.BR ausearch_next_event (3),
.BR ausearch\-expression (5).

.SH AUTHOR
Miloslav Trmac