static void auparse_callback(auparse_state_t *_au, auparse_cb_event_t cb_event_type, void *user_data)
{
int *event_cnt = (int *)user_data;
int num_records = auparse_get_num_records(_au);
int record_cnt;
if (cb_event_type == AUPARSE_CB_EVENT_READY) {
if (auparse_first_record(_au) <= 0) {
return;
}
record_cnt = 1;
do {
int audtype = return_audtype(auparse_get_type(_au));
switch(audtype) {
case PLACE_OBJ:
// au, event number:total rec in event:this num in event
process_place_obj(_au, event_cnt, num_records, record_cnt);
break;
case USER_OBJ:
process_user_obj(_au, event_cnt, num_records, record_cnt);
break;
case SYSCALL_OBJ:
process_syscall_obj(_au, event_cnt, num_records, record_cnt);
break;
case SOCK_OBJ:
process_sock_obj(_au, event_cnt, num_records, record_cnt);
break;
case EXECVE_OBJ:
process_execv_obj(_au, event_cnt, num_records, record_cnt);
break;
case GENERIC_OBJ:
process_generic_obj(_au, event_cnt, num_records, record_cnt);
break;
}
const au_event_t *e = auparse_get_timestamp(_au);
if (e == NULL) {
return;
}
record_cnt++;
} while(auparse_next_record(_au) > 0); // end of do
(*event_cnt)++;
} // end cb_event_type == AUPARSE_CB_EVENT_READY
}
/*
* auparse_callback - callback routine to be executed once a complete event is composed
*/
void
auparse_callback(auparse_state_t * au, auparse_cb_event_t cb_event_type,
void *user_data)
{
int *event_cnt = (int *) user_data;
if (cb_event_type == AUPARSE_CB_EVENT_READY) {
if (auparse_first_record(au) <= 0)
return; /* If no first record, then no event ! */
if (!(flags & F_CHECK))
printf("event=%d records=%d\n", *event_cnt,
auparse_get_num_records(au));
do {
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL)
return; /* If no timestamp, then no event */
/* If checking, we just emit the raw record again
*/
if (flags & F_CHECK) {
if (e->host != NULL)
printf("node=%s type=%s msg=audit(%u.%3.3u:%lu):",
e->host, auparse_get_type_name(au),
(unsigned) e->sec, e->milli, e->serial);
else
printf("type=%s msg=audit(%u.%3.3u:%lu):",
auparse_get_type_name(au),
(unsigned) e->sec, e->milli, e->serial);
auparse_first_field(au); /* Move to first field */
do {
const char *fname = auparse_get_field_name(au);
/* We ignore the node and type fields */
if (strcmp(fname, "type") == 0
|| strcmp(fname, "node") == 0)
continue;
printf(" %s=%s", fname, auparse_get_field_str(au));
} while (auparse_next_field(au) > 0);
printf("\n");
continue;
}
printf("fields=%d\t", auparse_get_num_fields(au));
printf("type=%d (%s) ", auparse_get_type(au),
auparse_get_type_name(au));
printf("event_tid=%u.%3.3u:%lu ",
(unsigned) e->sec, e->milli, e->serial);
if (flags & F_VERBOSE) {
char *fv, *ifv = NULL;
auparse_first_field(au); /* Move to first field */
do {
fv = (char *) auparse_get_field_str(au);
ifv = (char *) auparse_interpret_field(au);
printf("%s=", auparse_get_field_name(au));
print_escape(stdout, fv, "=()");
printf(" (");
print_escape(stdout, ifv, "=()");
printf(") ");
}
while (auparse_next_field(au) > 0);
}
printf("\n");
}
while (auparse_next_record(au) > 0);
(*event_cnt)++;
}
}
