NAME¶
ausearch_add_expression - build up search expression
SYNOPSIS¶
#include <auparse.h>
int ausearch_add_expression(auparse_state_t *au, const
char * expression, char **error, ausearch_rule_t
how);
DESCRIPTION¶
ausearch_add_item adds an expression to the current audit search
expression. The search conditions can then be used to scan logs, files, or
buffers for something of interest. The
expression parameter contains an
expression, as specified in
ausearch-expression(5).
The
how parameter determines how this search expression will affect the
existing search expression, if one is already defined. The possible values
are:
- AUSEARCH_RULE_CLEAR
- Clear the current search expression, if any, and use only this search
expression.
- AUSEARCH_RULE_OR
- If a search expression E is already configured, replace it by
( E || this_search_expression).
- AUSEARCH_RULE_AND
- If a search expression E is already configured, replace it by
( E &&
this_search_expression).
RETURN VALUE¶
If successful,
ausearch_add_expression returns 0. Otherwise, it returns
-1, sets
errno and it may set
*error to an error message;
the caller must free the error message using
free(3). If an error
message is not available or can not be allocated,
*error is set
to
NULL.
SEE ALSO¶
ausearch_add_item(3),
ausearch_add_interpreted_item(3),
ausearch_add_timestamp_item(3),
ausearch_add_regex(3),
ausearch_set_stop(3),
ausearch_clear(3),
ausearch_next_event(3),
ausearch-expression(5).
AUTHOR¶
Miloslav Trmac