1 .TH "AUSEARCH-EXPRESSION" "5" "Feb 2008" "Red Hat" "Linux Audit"
3 ausearch-expression \- audit search expression format
6 This man page describes the format of "ausearch expressions".
7 Parsing and evaluation of these expressions is provided by libauparse
8 and is common to applications that use this library.
12 White space (ASCII space, tab and new-line characters) between tokens is
14 The following tokens are recognized:
26 .B < <= == > >= !== i= i!= r= r!=
30 Any non-empty sequence of ASCII letters, digits, and the
36 A sequence of characters surrounded by the
41 character starts an escape sequence.
42 The only defined escape sequences are
45 The semantics of other escape sequences is undefined.
49 A sequence of characters surrounded by the
54 character starts an escape sequence.
55 The only defined escape sequences are
58 The semantics of other escape sequences is undefined.
61 Anywhere an unquoted string is valid, a quoted string is valid as well,
63 In particular, field names may be specified using quoted strings,
64 and field values may be specified using unquoted strings.
68 The primary expression has one of the following forms:
70 .I field comparison-operator value
78 which specifies the first field with that name within the current audit record,
81 escape character followed by a string,
82 which specifies a virtual field with the specified name
83 (virtual fields are defined in a later section).
88 specifies the comparison to perform
92 Get the "raw" string of \fIfield\fR,
93 and compare it to \fIvalue\fR.
94 For fields in audit records,
95 the "raw" string is the exact string stored in the audit record
96 (with all escaping and unprintable character encoding left alone);
97 applications can read the "raw" string using
98 .BR auparse_get_field_str (3).
99 Each virtual field may define a "raw" string.
102 is not present or does not define a "raw" string,
103 the result of the comparison is
105 (regardless of the operator).
109 Get the "interpreted" string of \fIfield\fR,
110 and compare it to \fIvalue\fR.
111 For fields in audit records,
112 the "interpreted" string is an "user-readable" interpretation of the field
114 applications can read the "interpreted" string using
115 .BR auparse_interpret_field (3).
116 Each virtual field may define an "interpreted" string.
119 is not present or does not define an "interpreted" string,
120 the result of the comparison is
122 (regardless of the operator).
126 Evaluate the "value" of \fIfield\fR, and compare it to \fIvalue\fR.
127 A "value" may be defined for any field or virtual field,
128 but no "value" is currently defined for any audit record field.
129 The rules of parsing \fIvalue\fR for comparing it with the "value" of
131 are specific for each \fIfield\fR.
135 the result of the comparison is
137 (regardless of the operator).
140 does not define a "value", an error is reported when parsing the expression.
143 In the special case of
145 \fIregexp-or-string\fR,
146 the current audit record is taken as a string
147 (without interpreting field values),
148 and matched against \fIregexp-or-string\fR.
150 is an extended regular expression, using a string or regexp token
151 (in other words, delimited by
159 are valid expressions,
169 are valid expressions as well, with the usual C semantics and evaluation
174 is interpreted as \fB!(\fIfield op value\fB)\fR, not as
175 \fB(!\fIfield\fB)\fI op value\fR.
179 The following virtual fields are defined:
183 The value is the timestamp of the current event.
185 must have the \fBts:\fIseconds\fR.\fImilli\fR format, where
189 are decimal numbers specifying the seconds and milliseconds part of the
190 timestamp, respectively.
194 The value is the type of the current record.
196 is either the record type name, or a decimal number specifying the type.
199 The expression as a whole applies to a single record.
202 for a specified event if it is
204 for any record associated with the event.
208 As a demonstration of the semantics of handling missing fields, the following
215 .B (\fIfield\fB r= \(dq\(dq) || (\fIfield\fB r!= \(dq\(dq)
217 and the same expression surrounded by
227 .SH FUTURE DIRECTIONS
228 New escape sequences for quoted strings may be defined.
230 For currently defined virtual fields that do not define a "raw" or
231 "interpreted" string, the definition may be added.
232 Therefore, don't rely on the fact
233 that comparing the "raw" or "interpreted" string of the field with any value
236 New formats of value constants for the
238 virtual field may be added.