aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/audit/docs/ausearch_add_expression.3
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/audit/docs/ausearch_add_expression.3')
-rw-r--r--framework/src/audit/docs/ausearch_add_expression.371
1 files changed, 71 insertions, 0 deletions
diff --git a/framework/src/audit/docs/ausearch_add_expression.3 b/framework/src/audit/docs/ausearch_add_expression.3
new file mode 100644
index 00000000..c3c17c9d
--- /dev/null
+++ b/framework/src/audit/docs/ausearch_add_expression.3
@@ -0,0 +1,71 @@
+.TH "AUSEARCH_ADD_expression" "3" "Feb 2008" "Red Hat" "Linux Audit API"
+.SH NAME
+ausearch_add_expression \- build up search expression
+.SH "SYNOPSIS"
+.B #include <auparse.h>
+
+\fBint ausearch_add_expression(auparse_state_t *\fIau\fB,
+const char *\fIexpression\fB, char **\fIerror\fB, ausearch_rule_t \fIhow\fB);\fR
+
+.SH "DESCRIPTION"
+
+.B ausearch_add_item
+adds an expression to the current audit search expression.
+The search conditions can then be used to scan logs, files, or buffers
+for something of interest.
+The
+.I expression
+parameter contains an expression, as specified in
+.BR ausearch\-expression (5).
+
+The
+.I how
+parameter determines
+how this search expression will affect the existing search expression,
+if one is already defined.
+The possible values are:
+.RS
+.TP
+.I AUSEARCH_RULE_CLEAR
+Clear the current search expression, if any,
+and use only this search expression.
+.TP
+.I AUSEARCH_RULE_OR
+If a search expression
+.I E
+is already configured,
+replace it by \fB(\fIE\fB || \fIthis_search_expression\fB)\fR.
+.TP
+.I AUSEARCH_RULE_AND
+If a search expression
+.I E
+is already configured,
+replace it by \fB(\fIE\fB && \fIthis_search_expression\fB)\fR.
+.RE
+
+.SH "RETURN VALUE"
+
+If successful,
+.B ausearch_add_expression
+returns 0.
+Otherwise, it returns \-1, sets
+.B errno
+and it may set \fB*\fIerror\fR to an error message;
+the caller must free the error message using
+.BR free (3).
+If an error message is not available or can not be allocated, \fB*\fIerror\fR
+is set to \fBNULL\fR.
+
+.SH "SEE ALSO"
+
+.BR ausearch_add_item (3),
+.BR ausearch_add_interpreted_item (3),
+.BR ausearch_add_timestamp_item (3),
+.BR ausearch_add_regex (3),
+.BR ausearch_set_stop (3),
+.BR ausearch_clear (3),
+.BR ausearch_next_event (3),
+.BR ausearch\-expression (5).
+
+.SH AUTHOR
+Miloslav Trmac