1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
.TH "AUPARSE_FEED" "3" "May 2007" "Red Hat" "Linux Audit API"
.SH NAME
auparse_feed \- feed data into parser
.SH "SYNOPSIS"
.B #include <auparse.h>
.sp
.nf
int auparse_feed(auparse_state_t *au, const char *data, size_t data_len);
.fi
.TP
.I au
The audit parse state
.TP
.I data
a buffer of data to feed into the parser, it is
.I data_len
bytes long. The data is copied in the parser, upon return the caller may free or reuse the data buffer.
.TP
.I data_len
number of bytes in
.I data
.SH "DESCRIPTION"
.I auparse_feed
supplies new data for the parser to consume.
.I auparse_init()
must have been called with a source type of AUSOURCE_FEED and a NULL pointer.
.br
.sp
The parser consumes as much data
as it can invoking a user supplied callback specified with
.I auparse_add_callback
with a cb_event_type of
.I AUPARSE_CB_EVENT_READY
each time the parser recognizes a complete event in the data stream. Data not fully parsed will persist and be
prepended to the next feed data. After all data has been feed to the parser
.I auparse_flush_feed
should be called to signal the end of input data and flush any pending parse data through the parsing system.
.SH "EXAMPLE"
.nf
void
auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type,
void *user_data)
{
int *event_cnt = (int *)user_data;
if (cb_event_type == AUPARSE_CB_EVENT_READY) {
if (auparse_first_record(au) <= 0) return;
printf("event: %d\\n", *event_cnt);
printf("records:%d\\n", auparse_get_num_records(au));
do {
printf("fields:%d\\n", auparse_get_num_fields(au));
printf("type=%d ", auparse_get_type(au));
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL) return;
printf("event time: %u.%u:%lu\\n",
(unsigned)e\->sec, e\->milli, e\->serial);
auparse_first_field(au);
do {
printf("%s=%s (%s)\\n", auparse_get_field_name(au),
auparse_get_field_str(au),
auparse_interpret_field(au));
} while (auparse_next_field(au) > 0);
printf("\\n");
} while(auparse_next_record(au) > 0);
(*event_cnt)++;
}
}
main(int argc, char **argv)
{
char *filename = argv[1];
FILE *fp;
char buf[256];
size_t len;
int *event_cnt = malloc(sizeof(int));
au = auparse_init(AUSOURCE_FEED, 0);
*event_cnt = 1;
auparse_add_callback(au, auparse_callback, event_cnt, free);
if ((fp = fopen(filename, "r")) == NULL) {
fprintf(stderr, "could not open '%s', %s\\n", filename, strerror(errno));
return 1;
}
while ((len = fread(buf, 1, sizeof(buf), fp))) {
auparse_feed(au, buf, len);
}
auparse_flush_feed(au);
}
.fi
.SH "RETURN VALUE"
Returns \-1 if an error occurs; otherwise, 0 for success.
.SH "SEE ALSO"
.BR auparse_add_callback (3),
.BR auparse_flush_feed (3),
.BR auparse_feed_has_data (3)
.SH AUTHOR
John Dennis
|
