static void auparse_callback(auparse_state_t *_au, auparse_cb_event_t cb_event_type, void *user_data) { int *event_cnt = (int *)user_data; int num_records = auparse_get_num_records(_au); int record_cnt; if (cb_event_type == AUPARSE_CB_EVENT_READY) { if (auparse_first_record(_au) <= 0) { return; } record_cnt = 1; do { int audtype = return_audtype(auparse_get_type(_au)); switch(audtype) { case PLACE_OBJ: // au, event number:total rec in event:this num in event process_place_obj(_au, event_cnt, num_records, record_cnt); break; case USER_OBJ: process_user_obj(_au, event_cnt, num_records, record_cnt); break; case SYSCALL_OBJ: process_syscall_obj(_au, event_cnt, num_records, record_cnt); break; case SOCK_OBJ: process_sock_obj(_au, event_cnt, num_records, record_cnt); break; case EXECVE_OBJ: process_execv_obj(_au, event_cnt, num_records, record_cnt); break; case GENERIC_OBJ: process_generic_obj(_au, event_cnt, num_records, record_cnt); break; } const au_event_t *e = auparse_get_timestamp(_au); if (e == NULL) { return; } record_cnt++; } while(auparse_next_record(_au) > 0); // end of do (*event_cnt)++; } // end cb_event_type == AUPARSE_CB_EVENT_READY }
/* * auparse_callback - callback routine to be executed once a complete event is composed */ void auparse_callback(auparse_state_t * au, auparse_cb_event_t cb_event_type, void *user_data) { int *event_cnt = (int *) user_data; if (cb_event_type == AUPARSE_CB_EVENT_READY) { if (auparse_first_record(au) <= 0) return; /* If no first record, then no event ! */ if (!(flags & F_CHECK)) printf("event=%d records=%d\n", *event_cnt, auparse_get_num_records(au)); do { const au_event_t *e = auparse_get_timestamp(au); if (e == NULL) return; /* If no timestamp, then no event */ /* If checking, we just emit the raw record again */ if (flags & F_CHECK) { if (e->host != NULL) printf("node=%s type=%s msg=audit(%u.%3.3u:%lu):", e->host, auparse_get_type_name(au), (unsigned) e->sec, e->milli, e->serial); else printf("type=%s msg=audit(%u.%3.3u:%lu):", auparse_get_type_name(au), (unsigned) e->sec, e->milli, e->serial); auparse_first_field(au); /* Move to first field */ do { const char *fname = auparse_get_field_name(au); /* We ignore the node and type fields */ if (strcmp(fname, "type") == 0 || strcmp(fname, "node") == 0) continue; printf(" %s=%s", fname, auparse_get_field_str(au)); } while (auparse_next_field(au) > 0); printf("\n"); continue; } printf("fields=%d\t", auparse_get_num_fields(au)); printf("type=%d (%s) ", auparse_get_type(au), auparse_get_type_name(au)); printf("event_tid=%u.%3.3u:%lu ", (unsigned) e->sec, e->milli, e->serial); if (flags & F_VERBOSE) { char *fv, *ifv = NULL; auparse_first_field(au); /* Move to first field */ do { fv = (char *) auparse_get_field_str(au); ifv = (char *) auparse_interpret_field(au); printf("%s=", auparse_get_field_name(au)); print_escape(stdout, fv, "=()"); printf(" ("); print_escape(stdout, ifv, "=()"); printf(") "); } while (auparse_next_field(au) > 0); } printf("\n"); } while (auparse_next_record(au) > 0); (*event_cnt)++; } }