ausearch_add_expression

AUSEARCH_ADD_expression(3)      Linux Audit API     AUSEARCH_ADD_expression(3)



NAME
       ausearch_add_expression - build up search expression

SYNOPSIS
       #include <auparse.h>

       int ausearch_add_expression(auparse_state_t *au, const char
       *expression, char **error, ausearch_rule_t how);


DESCRIPTION
       ausearch_add_item adds an expression to the current audit search
       expression.  The search conditions can then be used to scan logs,
       files, or buffers for something of interest.  The expression parameter
       contains an expression, as specified in ausearch-expression(5).

       The how parameter determines how this search expression will affect the
       existing search expression, if one is already defined.  The possible
       values are:

              AUSEARCH_RULE_CLEAR
                     Clear the current search expression, if any, and use only
                     this search expression.

              AUSEARCH_RULE_OR
                     If a search expression E is already configured, replace
                     it by (E || this_search_expression).

              AUSEARCH_RULE_AND
                     If a search expression E is already configured, replace
                     it by (E && this_search_expression).


RETURN VALUE
       If successful, ausearch_add_expression returns 0.  Otherwise, it
       returns -1, sets errno and it may set *error to an error message; the
       caller must free the error message using free(3).  If an error message
       is not available or can not be allocated, *error is set to NULL.


SEE ALSO
       ausearch_add_item(3), ausearch_add_interpreted_item(3),
       ausearch_add_timestamp_item(3), ausearch_add_regex(3),
       ausearch_set_stop(3), ausearch_clear(3), ausearch_next_event(3),
       ausearch-expression(5).


AUTHOR
       Miloslav Trmac



Red Hat                            Feb 2008         AUSEARCH_ADD_expression(3)