oracular (3) ausearch_add_expression.3.gz

Provided by: libauparse-dev_4.0.1-1ubuntu2_amd64 bug

NAME

       ausearch_add_expression - build up search expression

SYNOPSIS

       #include <auparse.h>

       int  ausearch_add_expression(auparse_state_t  *au,  const  char *expression, char **error,
       ausearch_rule_t how);

DESCRIPTION

       ausearch_add_item adds an expression to the current audit search expression.   The  search
       conditions  can  then  be  used to scan logs, files, or buffers for something of interest.
       The expression parameter contains an expression, as specified in ausearch-expression(5).

       The how parameter determines how this search expression will affect  the  existing  search
       expression, if one is already defined.  The possible values are:

              AUSEARCH_RULE_CLEAR
                     Clear  the  current  search  expression,  if  any,  and use only this search
                     expression.

              AUSEARCH_RULE_OR
                     If a search expression  E  is  already  configured,  replace  it  by  (E  ||
                     this_search_expression).

              AUSEARCH_RULE_AND
                     If  a  search  expression  E  is  already  configured,  replace  it by (E &&
                     this_search_expression).

RETURN VALUE

       If successful, ausearch_add_expression returns 0.  Otherwise, it returns  -1,  sets  errno
       and  it  may  set *error to an error message; the caller must free the error message using
       free(3).  If an error message is not available or can not be allocated, *error is  set  to
       NULL.

SEE ALSO

       ausearch_add_item(3),   ausearch_add_interpreted_item(3),  ausearch_add_timestamp_item(3),
       ausearch_add_regex(3),  ausearch_set_stop(3),  ausearch_clear(3),  ausearch_next_event(3),
       ausearch_cur_event(3), ausearch-expression(5).

AUTHOR

       Miloslav Trmac