/* This function shows how to iterate through the fields of a record
* and print its name and raw value and interpretted value. */
static void dump_fields_of_record(auparse_state_t *au)
{
printf("record type %d(%s) has %d fields\n", auparse_get_type(au),
audit_msg_type_to_name(auparse_get_type(au)),
auparse_get_num_fields(au));
printf("line=%d file=%s\n", auparse_get_line_number(au),
auparse_get_filename(au) ? auparse_get_filename(au) : "stdin");
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL) {
printf("Error getting timestamp - aborting\n");
return;
}
/* Note that e->sec can be treated as time_t data if you want
* something a little more readable */
printf("event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec,
e->milli, e->serial, e->host ? e->host : "?");
auparse_first_field(au);
do {
printf("field: %s=%s (%s)\n",
auparse_get_field_name(au),
auparse_get_field_str(au),
auparse_interpret_field(au));
} while (auparse_next_field(au) > 0);
printf("\n");
}
static void auparse_callback(auparse_state_t *_au, auparse_cb_event_t cb_event_type, void *user_data)
{
int *event_cnt = (int *)user_data;
int num_records = auparse_get_num_records(_au);
int record_cnt;
if (cb_event_type == AUPARSE_CB_EVENT_READY) {
if (auparse_first_record(_au) <= 0) {
return;
}
record_cnt = 1;
do {
int audtype = return_audtype(auparse_get_type(_au));
switch(audtype) {
case PLACE_OBJ:
// au, event number:total rec in event:this num in event
process_place_obj(_au, event_cnt, num_records, record_cnt);
break;
case USER_OBJ:
process_user_obj(_au, event_cnt, num_records, record_cnt);
break;
case SYSCALL_OBJ:
process_syscall_obj(_au, event_cnt, num_records, record_cnt);
break;
case SOCK_OBJ:
process_sock_obj(_au, event_cnt, num_records, record_cnt);
break;
case EXECVE_OBJ:
process_execv_obj(_au, event_cnt, num_records, record_cnt);
break;
case GENERIC_OBJ:
process_generic_obj(_au, event_cnt, num_records, record_cnt);
break;
}
const au_event_t *e = auparse_get_timestamp(_au);
if (e == NULL) {
return;
}
record_cnt++;
} while(auparse_next_record(_au) > 0); // end of do
(*event_cnt)++;
} // end cb_event_type == AUPARSE_CB_EVENT_READY
}
static void process_execv_obj(auparse_state_t *_au, int *event_cnt, int num_records, int record_cnt)
{
char* type = "NULL";
char* t_type = NULL;
char* node = "localhost";
char* t_node = NULL;
char* argc = "NULL";
char* arg = "NULL";
int num_fields = auparse_get_num_fields(_au) - 1;
int n;
/* test error condition */
if ( num_fields == -1 )
return;
const au_event_t *e = auparse_get_timestamp(_au);
if (e == NULL)
return;
if ( auparse_first_field(_au) == 0 )
return;
for ( n = 0 ; n <= num_fields; n++ ) {
char* field_name = (char*)auparse_get_field_name_wrap(_au);
if ( strcmp(field_name,F_TYPE) == 0 ) {
type = (char*)auparse_interpret_field_wrap(_au);
t_type = encode_string(type, strlen(type));
}
if ( strcmp(field_name, F_NODE) == 0 ) {
node = (char*)auparse_interpret_field_wrap(_au);
t_node = encode_string(node, strlen(node));
}
if ( strcmp(field_name, F_ARGC) == 0 )
argc = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_ARG) == 0 )
arg = (char*)auparse_interpret_field_wrap(_au);
auparse_next_field(_au);
}
bzero(msgbuf, sizeof(msgbuf));
snprintf(msgbuf, sizeof(msgbuf) - 1, "NERSCAUD %i:%i:%i EXEC_OBJ %s %u.%u %s %s %s %s %s\n", *event_cnt, num_records, record_cnt, t_type, (unsigned)e->sec, e->milli, t_node, ses_holder, pid_holder, argc, arg);
s_write(msgbuf);
free(t_type);
free(t_node);
return;
}
static void process_generic_obj(auparse_state_t *_au, int *event_cnt, int num_records, int record_cnt)
{
char* type = "NULL";
char* t_type = NULL;
char* node = "localhost";
char* t_node = NULL;
char* ses = "NULL";
char* auid = "NULL";
char* egid = "NULL";
char* euid = "NULL";
char* fsgid = "NULL";
char* fsuid = "NULL";
char* gid = "NULL";
char* suid = "NULL";
char* sgid = "NULL";
char* uid = "NULL";
char* comm = "NULL";
char* t_comm = NULL;
char* exe = "NULL";
char* t_exe = NULL;
char* a0 = "NULL";
char* t_a0 = NULL;
char* a1 = "NULL";
char* t_a1 = NULL;
char* a2 = "NULL";
char* t_a2 = NULL;
char* pid = "NULL";
char* ppid = "NULL";
char* success = "NULL";
char* xit = "NULL";
char* t_xit = NULL;
char* tty = "NULL";
char* key = "NULL";
int num_fields = auparse_get_num_fields(_au) - 1;
int n;
/* test error condition */
if ( num_fields == -1 )
return;
const au_event_t *e = auparse_get_timestamp(_au);
if (e == NULL)
return;
if ( auparse_first_field(_au) == 0 )
return;
for ( n = 0 ; n <= num_fields; n++ ) {
char* field_name = (char*)auparse_get_field_name_wrap(_au);
if ( strcmp(field_name,F_TYPE) == 0 ) {
type = (char*)auparse_interpret_field_wrap(_au);
t_type = encode_string(type, strlen(type));
}
if ( strcmp(field_name, F_NODE) == 0 ) {
node = (char*)auparse_interpret_field_wrap(_au);
t_node = encode_string(node, strlen(node));
}
if ( strcmp(field_name, F_SES) == 0 )
ses = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_EGID) == 0 )
egid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_AUID) == 0 )
auid = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_EUID) == 0 )
euid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_FSGID) == 0 )
fsgid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_FSUID) == 0 )
fsuid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_GID) == 0 )
gid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_SUID) == 0 )
suid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_SGID) == 0 )
sgid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_UID) == 0 )
uid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_COMM) == 0 ) {
comm = (char*)auparse_interpret_field_wrap(_au);
t_comm = encode_string( comm, strlen(comm));
}
if ( strcmp(field_name, F_A0) == 0 ) {
a0 = (char*)auparse_get_field_str_wrap(_au);
t_a0 = encode_string( a0, strlen(a0));
}
if ( strcmp(field_name, F_A1) == 0 ) {
a1 = (char*)auparse_get_field_str_wrap(_au);
t_a1 = encode_string( a1, strlen(a1));
}
if ( strcmp(field_name, F_A2) == 0 ) {
a2 = (char*)auparse_get_field_str_wrap(_au);
t_a2 = encode_string( a2, strlen(a2));
}
if ( strcmp(field_name, F_PID) == 0 )
pid = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_PPID) == 0 )
ppid = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_SUCCESS) == 0 )
success = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_EXIT) == 0 ) {
xit = (char*)auparse_interpret_field_wrap(_au);
t_xit = encode_string( xit, strlen(xit));
}
if ( strcmp(field_name, F_TTY) == 0 )
tty = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_EXE) == 0 ) {
exe = (char*)auparse_interpret_field_wrap(_au);
t_exe = encode_string( exe, strlen(exe));
}
if ( strcmp(field_name, F_KEY) == 0 )
key = (char*)auparse_interpret_field_wrap(_au);
auparse_next_field(_au);
}
bzero(msgbuf, sizeof(msgbuf));
snprintf(msgbuf, sizeof(msgbuf) - 1, "NERSCAUD %i:%i:%i GENERIC_OBJ %s %u.%u %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s\n", *event_cnt, num_records, record_cnt, t_type, (unsigned)e->sec, e->milli, t_node, ses, auid, key, t_comm, t_exe, t_a0, t_a1, t_a2, uid, gid, euid, egid, fsuid, fsgid, suid, sgid, pid, ppid, tty, success, t_xit);
s_write(msgbuf);
strncpy(ses_holder,ses,holder_size);
strncpy(pid_holder,pid,holder_size);
free(t_node);
free(t_type);
free(t_comm);
free(t_a0);
free(t_a1);
free(t_a2);
free(t_xit);
free(t_exe);
return;
}
static void process_user_obj(auparse_state_t *_au, int *event_cnt, int num_records, int record_cnt)
{
char* type = "NULL";
char* t_type = NULL;
char* node = "localhost";
char* t_node = NULL;
char* ses = "NULL";
char* egid = "NULL";
char* auid = "NULL";
char* euid = "NULL";
char* fsgid = "NULL";
char* fsuid = "NULL";
char* gid = "NULL";
char* suid = "NULL";
char* sgid = "NULL";
char* uid = "NULL";
char* pid = "NULL";
char* success = "NULL";
char* xit = "NULL";
char* t_xit = NULL;
char* term = "NULL";
char* exe = "NULL";
char* t_exe = NULL;
int num_fields = auparse_get_num_fields(_au) - 1;
int n;
/* test error condition */
if ( num_fields == -1 )
return;
const au_event_t *e = auparse_get_timestamp(_au);
if (e == NULL)
return;
if ( auparse_first_field(_au) == 0 )
return;
for ( n = 0 ; n <= num_fields; n++ ) {
char* field_name = (char*)auparse_get_field_name_wrap(_au);
if ( strcmp(field_name,F_TYPE) == 0 ) {
type = (char*)auparse_interpret_field_wrap(_au);
t_type = encode_string( type, strlen(type));
}
if ( strcmp(field_name, F_NODE) == 0 ) {
node = (char*)auparse_interpret_field_wrap(_au);
t_node = encode_string( node, strlen(node));
}
if ( strcmp(field_name, F_SES) == 0 )
ses = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_EGID) == 0 )
egid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_AUID) == 0 )
auid = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_EUID) == 0 )
euid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_FSGID) == 0 )
fsgid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_FSUID) == 0 )
fsuid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_GID) == 0 )
gid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_SUID) == 0 )
suid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_SGID) == 0 )
sgid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_UID) == 0 )
uid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_PID) == 0 )
pid = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_SUCCESS) == 0 )
success = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_EXIT) == 0 ) {
xit = (char*)auparse_interpret_field_wrap(_au);
t_xit = encode_string( xit, strlen(xit));
}
if ( strcmp(field_name, F_TERM) == 0 )
term = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_EXE) == 0 ) {
exe = (char*)auparse_interpret_field_wrap(_au);
t_exe = encode_string( exe, strlen(exe));
}
auparse_next_field(_au);
}
strncpy(ses_holder,ses,holder_size);
strncpy(pid_holder,pid,holder_size);
bzero(msgbuf, sizeof(msgbuf));
snprintf(msgbuf, sizeof(msgbuf) - 1, "NERSCAUD %i:%i:%i USER_OBJ %s %u.%u %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s\n", *event_cnt, num_records, record_cnt, t_type, (unsigned)e->sec, e->milli, t_node, ses, auid, egid, euid, fsgid, fsuid, gid, suid, sgid, uid, pid, success, t_xit, term, t_exe);
s_write(msgbuf);
free(t_node);
free(t_type);
free(t_xit);
free(t_exe);
return;
}
static void process_place_obj(auparse_state_t *_au, int *event_cnt, int num_records, int record_cnt)
{
char* type = "NULL";
char* t_type = NULL;
char* node = "localhost";
char* t_node = NULL;
char* cwd = "NULL";
char* t_cwd = NULL;
char* path_name = "NULL";
char* t_path_name = NULL;
char* inode = "NULL";
char* mode = "NULL";
char* t_mode = NULL;
char* ouid = "NULL";
char* ogid = "NULL";
int num_fields = auparse_get_num_fields(_au) - 1;
int n;
/* test error condition */
if ( num_fields == -1 )
return;
const au_event_t *e = auparse_get_timestamp(_au);
if (e == NULL)
return;
if ( auparse_first_field(_au) == 0 )
return;
for ( n = 0 ; n <= num_fields; n++ ) {
char* field_name = (char*)auparse_get_field_name_wrap(_au);
if ( strcmp(field_name, F_TYPE) == 0 ) {
type = (char*)auparse_interpret_field_wrap(_au);
t_type = encode_string( type, strlen(type));
}
if ( strcmp(field_name, F_NODE) == 0 ) {
node = (char*)auparse_interpret_field_wrap(_au);
t_node = encode_string( node, strlen(node));
}
if ( strcmp(field_name, F_CWD) == 0 ) {
cwd = (char*)auparse_interpret_field_wrap(_au);
t_cwd = encode_string( cwd, strlen(cwd));
}
if ( strcmp(field_name, F_NAME) == 0 ) {
path_name = (char*)auparse_interpret_field_wrap(_au);
t_path_name = encode_string( path_name, strlen(path_name));
}
if ( strcmp(field_name, F_INODE) == 0 )
inode = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_MODE) == 0 ) {
mode = (char*)auparse_interpret_field_wrap(_au);
t_mode = encode_string( mode, strlen(mode));
}
if ( strcmp(field_name, F_OUID) == 0 )
ouid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_OGID) == 0 )
ogid = (char*)auparse_interpret_field_wrap(_au);
auparse_next_field(_au);
}
bzero(msgbuf, sizeof(msgbuf));
snprintf(msgbuf,sizeof(msgbuf) - 1, "NERSCAUD %i:%i:%i PLACE_OBJ %s %u.%u %s %s %s %s %s %s %s %s %s\n", *event_cnt, num_records, record_cnt, t_type, (unsigned)e->sec, e->milli, t_node, ses_holder, pid_holder, t_cwd, t_path_name, inode, t_mode, ouid, ogid);
s_write(msgbuf);
free(t_type);
free(t_node);
free(t_cwd);
free(t_path_name);
free(t_mode);
return;
}
/*
* auparse library callback that's called when an event is ready
*/
void
push_event(auparse_state_t * au, auparse_cb_event_t cb_event_type,
void *user_data)
{
int rc;
BerElement *ber;
int qualifier;
char timestamp[26];
char linkValue[ZOS_REMOTE_LINK_VALUE_SIZE];
char logString[ZOS_REMOTE_LOGSTRING_SIZE];
unsigned long linkValue_tmp;
if (cb_event_type != AUPARSE_CB_EVENT_READY)
return;
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL)
return;
/*
* we have an event. Each record will result in a different 'Item'
* (refer ASN.1 definition in zos-remote-ldap.h)
*/
/*
* Create a new BER element to encode the request
*/
ber = ber_alloc_t(LBER_USE_DER);
if (ber == NULL) {
log_err("Error allocating memory for BER element");
goto fatal;
}
/*
* Collect some information to fill in every item
*/
const char *node = auparse_get_node(au);
const char *orig_type = auparse_find_field(au, "type");
/* roll back event to get 'success' */
auparse_first_record(au);
const char *success = auparse_find_field(au, "success");
/* roll back event to get 'res' */
auparse_first_record(au);
const char *res = auparse_find_field(au, "res");
/* check if this event is a success or failure one */
if (success) {
if (strncmp(success, "0", 1) == 0 ||
strncmp(success, "no", 2) == 0)
qualifier = ZOS_REMOTE_QUALIF_FAIL;
else
qualifier = ZOS_REMOTE_QUALIF_SUCCESS;
} else if (res) {
if (strncmp(res, "0", 1) == 0
|| strncmp(res, "failed", 6) == 0)
qualifier = ZOS_REMOTE_QUALIF_FAIL;
else
qualifier = ZOS_REMOTE_QUALIF_SUCCESS;
} else
qualifier = ZOS_REMOTE_QUALIF_INFO;
/* get timestamp text */
ctime_r(&e->sec, timestamp);
timestamp[24] = '\0'; /* strip \n' */
/* prepare linkValue which will be used for every item */
linkValue_tmp = htonl(e->serial); /* padronize to use network
* byte order
*/
memset(&linkValue, 0, ZOS_REMOTE_LINK_VALUE_SIZE);
memcpy(&linkValue, &linkValue_tmp, sizeof(unsigned long));
/*
* Prepare the logString with some meaningful text
* We assume the first record type found is the
* 'originating' audit record
*/
sprintf(logString, "Linux (%s): type: %s", node, orig_type);
/*
* Start writing to BER element.
* There's only one field (version) out of the item sequence.
* Also open item sequence
*/
rc = ber_printf(ber, "{i{", ICTX_REQUESTVER);
if (rc < 0)
goto skip_event;
/*
* Roll back to first record and iterate through all records
*/
auparse_first_record(au);
do {
const char *type = auparse_find_field(au, "type");
if (type == NULL)
goto skip_event;
log_debug("got record: %s", auparse_get_record_text(au));
/*
* First field is item Version, same as global version
*/
rc = ber_printf(ber, "{i", ICTX_REQUESTVER);
/*
* Second field is the itemTag
* use our internal event counter, increasing it
*/
rc |= ber_printf(ber, "i", conf.counter++);
/*
* Third field is the linkValue
* using ber_put_ostring since it is not null-terminated
*/
rc |= ber_put_ostring(ber, linkValue,
ZOS_REMOTE_LINK_VALUE_SIZE,
LBER_OCTETSTRING);
/*
* Fourth field is the violation
* Don't have anything better yet to put here
*/
rc |= ber_printf(ber, "b", 0);
/*
* Fifth field is the event.
* FIXME: this might be the place to switch on the
* audit record type and map to a more meaningful
* SMF type 83, subtype 4 event here
*/
rc |= ber_printf(ber, "i", ZOS_REMOTE_EVENT_AUTHORIZATION);
/*
* Sixth field is the qualifier. We map 'success' or
* 'res' to this field
*/
rc |= ber_printf(ber, "i", qualifier);
/*
* Seventh field is the Class
* always use '@LINUX' for this version
* max size ZOS_REMOTE_CLASS_SIZE
*/
rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG);
rc |= ber_printf(ber, "s", "@LINUX");
/*
* Eighth field is the resource
* use the record type (name) as the resource
* max size ZOS_REMOTE_RESOURCE_SIZE
*/
rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG);
rc |= ber_printf(ber, "s", type);
/*
* Nineth field is the LogString
* we try to put something meaningful here
* we also start the relocations sequence
*/
rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG);
rc |= ber_printf(ber, "s{", logString);
/*
* Now we start adding the relocations.
* Let's add the timestamp as the first one
* so it's out of the field loop
*/
rc |= ber_printf(ber, "{i", ZOS_REMOTE_RELOC_TIMESTAMP);
rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG);
rc |= ber_printf(ber, "s}", timestamp);
/*
* Check that encoding is going OK until now
*/
if (rc < 0)
goto skip_event;
/*
* Now go to first field,
* and iterate through all fields
*/
auparse_first_field(au);
do {
/*
* we set a maximum of 1024 chars for
* relocation data (field=value pairs)
* Hopefuly this wont overflow too often
*/
char data[1024];
const char *name = auparse_get_field_name(au);
const char *value = auparse_interpret_field(au);
if (name == NULL || value == NULL)
goto skip_event;
/*
* First reloc field is the Relocation type
* We use 'OTHER' here since we don't have
* anything better
*/
rc |= ber_printf(ber, "{i", ZOS_REMOTE_RELOC_OTHER);
/*
* Second field is the relocation data
* We use a 'name=value' pair here
* Use up to 1023 chars (one char left for '\0')
*/
snprintf(data, 1023, "%s=%s", name, value);
rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG);
rc |= ber_printf(ber, "s}", data);
/*
* Check encoding status
*/
if (rc < 0)
goto skip_event;
} while (auparse_next_field(au) > 0);
/*
* After adding all relocations we are done with
* this item - finalize relocs and item
*/
rc |= ber_printf(ber, "}}");
/*
* Check if we are doing well with encoding
*/
if (rc < 0)
goto skip_event;
} while (auparse_next_record(au) > 0);
/*
* We have all items in - finalize item sequence & request
*/
rc |= ber_printf(ber, "}}");
/*
* Check if everything went alright with encoding
*/
if (rc < 0)
goto skip_event;
/*
* finally, enqueue request and let the other
* thread process it
*/
log_debug("Encoding done, enqueuing event");
enqueue(ber);
return;
skip_event:
log_warn("Warning - error encoding request, skipping event");
ber_free(ber, 1); /* free it since we're not enqueuing it */
return;
fatal:
log_err("Error - Fatal error while encoding request. Aborting");
stop = 1;
}
/*
* auparse_callback - callback routine to be executed once a complete event is composed
*/
void
auparse_callback(auparse_state_t * au, auparse_cb_event_t cb_event_type,
void *user_data)
{
int *event_cnt = (int *) user_data;
if (cb_event_type == AUPARSE_CB_EVENT_READY) {
if (auparse_first_record(au) <= 0)
return; /* If no first record, then no event ! */
if (!(flags & F_CHECK))
printf("event=%d records=%d\n", *event_cnt,
auparse_get_num_records(au));
do {
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL)
return; /* If no timestamp, then no event */
/* If checking, we just emit the raw record again
*/
if (flags & F_CHECK) {
if (e->host != NULL)
printf("node=%s type=%s msg=audit(%u.%3.3u:%lu):",
e->host, auparse_get_type_name(au),
(unsigned) e->sec, e->milli, e->serial);
else
printf("type=%s msg=audit(%u.%3.3u:%lu):",
auparse_get_type_name(au),
(unsigned) e->sec, e->milli, e->serial);
auparse_first_field(au); /* Move to first field */
do {
const char *fname = auparse_get_field_name(au);
/* We ignore the node and type fields */
if (strcmp(fname, "type") == 0
|| strcmp(fname, "node") == 0)
continue;
printf(" %s=%s", fname, auparse_get_field_str(au));
} while (auparse_next_field(au) > 0);
printf("\n");
continue;
}
printf("fields=%d\t", auparse_get_num_fields(au));
printf("type=%d (%s) ", auparse_get_type(au),
auparse_get_type_name(au));
printf("event_tid=%u.%3.3u:%lu ",
(unsigned) e->sec, e->milli, e->serial);
if (flags & F_VERBOSE) {
char *fv, *ifv = NULL;
auparse_first_field(au); /* Move to first field */
do {
fv = (char *) auparse_get_field_str(au);
ifv = (char *) auparse_interpret_field(au);
printf("%s=", auparse_get_field_name(au));
print_escape(stdout, fv, "=()");
printf(" (");
print_escape(stdout, ifv, "=()");
printf(") ");
}
while (auparse_next_field(au) > 0);
}
printf("\n");
}
while (auparse_next_record(au) > 0);
(*event_cnt)++;
}
}
