From mboxrd@z Thu Jan  1 00:00:00 1970
From: "kunal chandarana" <chandarana.kunal@gmail.com>
Subject: Auparse using Buffer.......
Date: Fri, 18 Jan 2008 20:12:22 +0530
Message-ID: <770716a30801180642v5c31b536ye696db92805c0e8e@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1860553285=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m0IEgr7U020042
	for <linux-audit@redhat.com>; Fri, 18 Jan 2008 09:42:53 -0500
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.153])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id m0IEgVfi007190
	for <linux-audit@redhat.com>; Fri, 18 Jan 2008 09:42:32 -0500
Received: by fg-out-1718.google.com with SMTP id e12so1189236fga.7
	for <linux-audit@redhat.com>; Fri, 18 Jan 2008 06:42:31 -0800 (PST)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============1860553285==
Content-Type: multipart/alternative;
	boundary="----=_Part_5893_1885030.1200667342610"

------=_Part_5893_1885030.1200667342610
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

#include<stdio.h>
#include<unistd.h>
#include<auparse.h>
#include<stdlib.h>
#include "libaudit.h"
#include<unistd.h>
#include<fcntl.h>
#include<time.h>
int main(void)
{


    char *data;
    int i=0;

    data="type=USER_ACCT msg=audit(1200638450.722:15): user pid=2156 uid=0
auid=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023msg='op=PAM:accounting
acct=root exe=\"/usr/sbin/gdm-binary\" (hostname=?,
addr=?, terminal=:0 res=success)'\0";


    auparse_state_t *au = auparse_init(AUSOURCE_BUFFER,data);
    if (au == NULL)
    {    printf("hi eroror \n");
        exit(1);
    }


    //ADDING RULES

    if (!ausearch_add_item(au, "a0", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "a1", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "a2", "!=", "NULL", AUSEARCH_RULE_OR))     {}
    if (!ausearch_add_item(au, "a3", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "a4", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "acct", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "addr", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "arch", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "audit_backlog_limit", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "audit_enabled", "!=", "NULL",
AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "audit_failure", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "auid", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "comm", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "cwd", "!=", "NULL", AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "dev", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "egid", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "euid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "exe", "!=", "NULL", AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "exit", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "file", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "flags", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "format", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "fsgid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "fsuid", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "gid", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "hostname", "!=", "NULL",
AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "id", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "inode", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "inode_gid", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "inode_uid", "!=", "NULL",
AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "item", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "items", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "list", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "mode", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "msg", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "nargs", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "name", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "obj", "!=", "NULL", AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "ogid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "old", "!=", "NULL", AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "old_prom", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "op", "!=", "NULL", AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "ouid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "parent", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "path", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "perm", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "perm_mask", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "pid", "!=", "NULL", AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "prom", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "qbytes", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "range", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "rdev", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "res", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "result", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "role", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "saddr", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "sauid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "scontext", "!=", "NULL",
AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "seuser", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "sgid", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "spid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "subj", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "success", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "suid", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "syscall", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "tclass", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "tcontext", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "terminal", "!=", "NULL",
AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "tty", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "type", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "uid", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "user", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "ver", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "watch", "!=", "NULL", AUSEARCH_RULE_OR))
{}


    auparse_next_event(au);


    if (auparse_find_field(au, "auid")) {
    printf("auid=%s\n", auparse_get_field_str(au));
    }
    if (auparse_find_field(au, "hostname")) {
    printf("hostname=%s\n", auparse_get_field_str(au));
    }


    auparse_destroy(au);
    return 0;
}


Same code tried with file pointer is working properly that is
auparse_init(AUSOURCE_FILE_POINTER, <<File Pointer>>).

But when tried with buffer is neither giving output nor error.
auparse_init(AUSOURCE_BUFFER, <<buffer address>>).

------=_Part_5893_1885030.1200667342610
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

#include&lt;stdio.h&gt;<br>#include&lt;unistd.h&gt;<br>#include&lt;auparse.h&gt;<br>#include&lt;stdlib.h&gt;<br>#include &quot;libaudit.h&quot;<br>#include&lt;unistd.h&gt;<br>#include&lt;fcntl.h&gt;<br>#include&lt;time.h&gt;<br>
int main(void) <br>{<br><br><br>&nbsp;&nbsp;&nbsp; char *data;<br>&nbsp;&nbsp;&nbsp; int i=0;<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; data=&quot;type=USER_ACCT msg=audit(1200638450.722:15): user pid=2156 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg=&#39;op=PAM:accounting acct=root exe=\&quot;/usr/sbin/gdm-binary\&quot; (hostname=?, addr=?, terminal=:0 res=success)&#39;\0&quot;;<br>
<br><br>&nbsp;&nbsp;&nbsp; auparse_state_t *au = auparse_init(AUSOURCE_BUFFER,data);<br>&nbsp;&nbsp;&nbsp; if (au == NULL) <br>&nbsp;&nbsp;&nbsp; {&nbsp;&nbsp;&nbsp; printf(&quot;hi eroror \n&quot;);<br>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; exit(1);<br>&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp; <br><br>&nbsp;&nbsp;&nbsp; //ADDING RULES<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;a0&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;a1&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;a2&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR)) &nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;a3&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;a4&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;acct&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;addr&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;arch&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;audit_backlog_limit&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;audit_enabled&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;audit_failure&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;auid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;comm&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;cwd&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;dev&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;egid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;euid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;exe&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;exit&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;file&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;flags&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;format&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;fsgid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;fsuid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;gid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;hostname&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;id&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;inode&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;inode_gid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;inode_uid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;item&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;items&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;list&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;mode&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;msg&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;nargs&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;name&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;obj&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;ogid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;old&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;old_prom&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;op&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;ouid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;parent&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}&nbsp;&nbsp;&nbsp; <br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;path&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;perm&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;perm_mask&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;pid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;prom&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;qbytes&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;range&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;rdev&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;res&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;result&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;role&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;saddr&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;sauid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;scontext&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;seuser&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;sgid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;spid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;subj&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;success&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;suid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;syscall&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;tclass&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;tcontext&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;terminal&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;tty&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;type&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;uid&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;user&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;ver&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br>
&nbsp;&nbsp;&nbsp; if (!ausearch_add_item(au, &quot;watch&quot;, &quot;!=&quot;, &quot;NULL&quot;, AUSEARCH_RULE_OR))&nbsp;&nbsp;&nbsp; {}<br><br>&nbsp;&nbsp;&nbsp; &nbsp;<br>&nbsp;&nbsp;&nbsp; auparse_next_event(au);<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; if (auparse_find_field(au, &quot;auid&quot;)) {<br>
&nbsp;&nbsp;&nbsp; printf(&quot;auid=%s\n&quot;, auparse_get_field_str(au));<br>&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp; if (auparse_find_field(au, &quot;hostname&quot;)) {<br>&nbsp;&nbsp;&nbsp; printf(&quot;hostname=%s\n&quot;, auparse_get_field_str(au));<br>&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; auparse_destroy(au);<br>&nbsp;&nbsp;&nbsp; return 0;<br>}<br><br><br>Same code tried with file pointer is working properly that is&nbsp; auparse_init(AUSOURCE_FILE_POINTER, &lt;&lt;File Pointer&gt;&gt;).<br><br>But when tried with buffer is neither giving output nor error. auparse_init(AUSOURCE_BUFFER, &lt;&lt;buffer address&gt;&gt;).<br>
<br><br>&nbsp;<br><br><br><br>

------=_Part_5893_1885030.1200667342610--


--===============1860553285==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1860553285==--