LinuxGuruz
  • Last 5 Forum Topics
    Replies
    Views
    Last post


The Web Only This Site
  • BOOKMARK

  • ADD TO FAVORITES

  • REFERENCES


  • MARC

    Mailing list ARChives
    - Search by -
     Subjects
     Authors
     Bodies





    FOLDOC

    Computing Dictionary




  • Text Link Ads






  • LINUX man pages
  • Linux Man Page Viewer


    The following form allows you to view linux man pages.

    Command:

    ausearch-expression

    
    
    
    

    OVERVIEW

           This  man page describes the format of "ausearch expressions".  Parsing
           and evaluation of these expressions is provided by  libauparse  and  is
           common to applications that use this library.
    
    
    

    LEXICAL STRUCTURE

           White  space  (ASCII space, tab and new-line characters) between tokens
           is ignored.  The following tokens are recognized:
    
           Punctuation
                  ( ) \
    
           Logical operators
                  ! && ||
    
           Comparison operators
                  < <= == > >= !== i= i!= r= r!=
    
           Unquoted strings
                  Any non-empty sequence of ASCII letters, digits, and the _  sym-
                  bol.
    
           Quoted strings
                  A  sequence  of  characters  surrounded  by the " quotes.  The \
                  character starts an escape sequence.  The  only  defined  escape
                  sequences  are  \\  and  \".   The  semantics  of  other  escape
                  sequences is undefined.
    
           Anywhere an unquoted string is valid, a quoted string is valid as well,
           and  vice  versa.   In  particular,  field names may be specified using
           quoted strings, and  field  values  may  be  specified  using  unquoted
           strings.
    
    
    

    EXPRESSION SYNTAX

           The primary expression has the following form:
    
                  field comparison-operator value
    
           field  is  either  a  string, which specifies the first field with that
           name within the current audit record, or the \  escape  character  fol-
           lowed  by  a string, which specifies a virtual field with the specified
           name (virtual fields are defined in a later section).
    
                  For fields in audit records,  the  "interpreted"  string  is  an
                  "user-readable"  interpretation of the field value; applications
                  can  read  the   "interpreted"   string   using   auparse_inter-
                  pret_field(3).   Each  virtual field may define an "interpreted"
                  string.  If field is not present or does not define  an  "inter-
                  preted"  string,  the result of the comparison is false (regard-
                  less of the operator).
    
           < <= == > >= !==
                  Evaluate the "value" of field,  and  compare  it  to  value.   A
                  "value"  may  be  defined for any field or virtual field, but no
                  "value" is currently defined for any audit  record  field.   The
                  rules  of  parsing  value  for  comparing it with the "value" of
                  field are specific for each field.  If field is not present, the
                  result  of the comparison is false (regardless of the operator).
                  If field does not define a "value", an error  is  reported  when
                  parsing the expression.
    
           If  E1 and E2 are valid expressions, then !  E1, E1 && E2, and E1 || E2
           are valid expressions as well, with the usual C semantics  and  evalua-
           tion priorities.  Note that !  field op value is interpreted as !(field
           op value), not as (!field) op value.
    
    
    

    VIRTUAL FIELDS

           The following virtual fields are defined:
    
           \timestamp
                  The value is the timestamp of the  current  event.   value  must
                  have  the  ts:seconds.milli  format, where seconds and milli are
                  decimal numbers specifying the seconds and milliseconds part  of
                  the timestamp, respectively.
    
           \record_type
                  The  value  is  the type of the current record.  value is either
                  the record type name, or a decimal number specifying the type.
    
    
    

    SEMANTICS

           The expression as a whole applies to a single record.   The  expression
           is  true  for a specified event if it is true for any record associated
           with the event.
    
    
    

    EXAMPLES

           As a demonstration of the semantics of  handling  missing  fields,  the
           following expression is true if field is present:
    
           New  formats of value constants for the \timestamp virtual field may be
           added.
    
    
    

    AUTHOR

           Miloslav Trmac
    
    
    

    Red Hat Feb 2008 AUSEARCH-EXPRESSION(5)

    
    
  • MORE RESOURCE


  • Linux

    The Distributions





    Linux

    The Software





    Linux

    The News



  • MARKETING






  • Toll Free

webmaster@linuxguruz.com
Copyright © 1999 - 2016 by LinuxGuruz