diff options
Diffstat (limited to 'framework/src/audit/docs/ausearch_add_expression.3')
-rw-r--r-- | framework/src/audit/docs/ausearch_add_expression.3 | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/framework/src/audit/docs/ausearch_add_expression.3 b/framework/src/audit/docs/ausearch_add_expression.3 new file mode 100644 index 00000000..c3c17c9d --- /dev/null +++ b/framework/src/audit/docs/ausearch_add_expression.3 @@ -0,0 +1,71 @@ +.TH "AUSEARCH_ADD_expression" "3" "Feb 2008" "Red Hat" "Linux Audit API" +.SH NAME +ausearch_add_expression \- build up search expression +.SH "SYNOPSIS" +.B #include <auparse.h> + +\fBint ausearch_add_expression(auparse_state_t *\fIau\fB, +const char *\fIexpression\fB, char **\fIerror\fB, ausearch_rule_t \fIhow\fB);\fR + +.SH "DESCRIPTION" + +.B ausearch_add_item +adds an expression to the current audit search expression. +The search conditions can then be used to scan logs, files, or buffers +for something of interest. +The +.I expression +parameter contains an expression, as specified in +.BR ausearch\-expression (5). + +The +.I how +parameter determines +how this search expression will affect the existing search expression, +if one is already defined. +The possible values are: +.RS +.TP +.I AUSEARCH_RULE_CLEAR +Clear the current search expression, if any, +and use only this search expression. +.TP +.I AUSEARCH_RULE_OR +If a search expression +.I E +is already configured, +replace it by \fB(\fIE\fB || \fIthis_search_expression\fB)\fR. +.TP +.I AUSEARCH_RULE_AND +If a search expression +.I E +is already configured, +replace it by \fB(\fIE\fB && \fIthis_search_expression\fB)\fR. +.RE + +.SH "RETURN VALUE" + +If successful, +.B ausearch_add_expression +returns 0. +Otherwise, it returns \-1, sets +.B errno +and it may set \fB*\fIerror\fR to an error message; +the caller must free the error message using +.BR free (3). +If an error message is not available or can not be allocated, \fB*\fIerror\fR +is set to \fBNULL\fR. + +.SH "SEE ALSO" + +.BR ausearch_add_item (3), +.BR ausearch_add_interpreted_item (3), +.BR ausearch_add_timestamp_item (3), +.BR ausearch_add_regex (3), +.BR ausearch_set_stop (3), +.BR ausearch_clear (3), +.BR ausearch_next_event (3), +.BR ausearch\-expression (5). + +.SH AUTHOR +Miloslav Trmac |