AUSEARCH_ADD_ITEM
NAMESYNOPSIS
DESCRIPTION
RETURN VALUE
SEE ALSO
AUTHOR
NAME
ausearch_add_item − build up search rule
SYNOPSIS
#include <auparse.h>
int ausearch_add_item(auparse_state_t *au, const char *field, const char *op, const char *value, ausearch_rule_t how);
DESCRIPTION
ausearch_add_item adds one search condition to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The field value is the field name that the value will be checked for. The op variable describes what kind of check is to be done. Legal op values are:
|
exists |
just check that a field name exists | ||
|
= |
locate the field name and check that the value associated with it is equal to the value given in this rule. | ||
|
!= |
locate the field name and check that the value associated with it is NOT equal to the value given in this rule. |
The value parameter is compared to the uninterpreted field value.
The how value determines how this search condition will affect the existing search expression if one is already defined. The possible values are:
AUSEARCH_RULE_CLEAR
Clear the current search expression, if any, and use only this search condition.
AUSEARCH_RULE_OR
If a search expression E is already configured, replace it by (E || this_search_condition).
AUSEARCH_RULE_AND
If a search expression E is already configured, replace it by (E && this_search_condition).
RETURN VALUE
Returns -1 if an error occurs; otherwise, 0 for success.
SEE ALSO
ausearch_add_expression(3), ausearch_add_interpreted_item(3), ausearch_add_timestamp_item(3), ausearch_add_regex(3), ausearch_set_stop(3), ausearch_clear(3), ausearch_next_event(3), ausearch-expression(5).
AUTHOR
Steve Grubb
More Linux Commands
manpages/ntfsls.8.html
ntfsls(8) - list directory contents on an NTFS filesystem...
ntfsls is used to list information about the files specified by the PATH option (the root directory by default). DEVICE is the special file corresponding to the
manpages/Tcl_DStringResult.3.html
Tcl_DStringResult(3) - manipulate dynamic strings (ManPage)
Dynamic strings provide a mechanism for building up arbitrarily long strings by gradually appending information. If the dynamic string is short then there will
manpages/set_current_field.3form.html
set_current_field(3form) - set and get form page number.....
The function set_current field sets the current field of the given form; current_field returns the current field of the given form. The function set_form_page s
manpages/gssd.8.html
gssd(8) - rpcsec_gss daemon (Admin - Linux man page)........
To establish GSS security contexts using these credential files, the Linux kernel RPC client depends on a userspace daemon called rpc.gssd. The rpc.gssd daemon
manpages/arch.1.html
arch(1) - print machine hardware name (same as uname -m)....
Print machine architecture. --help display this help and exit --version output version information and exit GNU coreutils online help: <http://www.gnu.org/softw
manpages/XtClass.3.html
XtClass(3) - obtain and verify a widget's class (Man Page)
The XtClass function returns a pointer to the widgets class structure. The XtSuperclass function returns a pointer to the widgets superclass class structure. Th
manpages/B::Showlex.3pm.html
B::Showlex(3pm) - Show lexical variables used in functions o
When a comma-separated list of subroutine names is given as options, Showlex prints the lexical variables used in those subroutines. Otherwise, it prints the fi
manpages/powf.3.html
powf(3) - power functions (Library - Linux man page)........
The pow() function returns the value of x raised to the power of y. RETURN VALUE On success, these functions return the value of x to the power of y. If x is a
manpages/forkpty.3.html
forkpty(3) - tty utility functions - Linux manual page......
The openpty() function finds an available pseudoterminal and returns file descriptors for the master and slave in amaster and aslave. If name is not NULL, the f
manpages/gfortran-4.6.1.html
gfortran-4.6(1) - GNU Fortran compiler - Linux manual page
The gfortran command supports all the options supported by the gcc command. Only options specific to GNU Fortran are documented here. All GCC and GNU Fortran op
manpages/Tcl_DoWhenIdle.3.html
Tcl_DoWhenIdle(3) - invoke a procedure when there are no pen
Tcl_DoWhenIdle arranges for proc to be invoked when the application becomes idle. The application is considered to be idle when Tcl_DoOneEvent has been called,
manpages/Mail::SpamAssassin::Plugin::URIDetail.3pm.html
Mail::SpamAssassin::Plugin::URIDetail(3pm) - test URIs using
This plugin creates a new rule test type, known as "uri_detail". These rules apply to all URIs found in the message. loadplugin Mail::SpamAssassin::Plugin::U...
