ELF>;@@8@ XX X `c xx x $$PtdHzHzHzLLQtdRtdXX X GNU* W6][z $NPn PnrtBEtf|+sqX|z@Ol,  {7(3JRdNTa ; I~m!&]l 46Pq [ oz[I2 6W7L"{ H o =b 0  @e: H  5 |k__gmon_start___fini_ITM_deregisterTMCloneTable_ITM_registerTMCloneTable__cxa_finalize_Jv_RegisterClassescallback_data_destroyPyMem_Freeauparse_destroy_Py_NoneStructPyArg_ParseTupleAndKeywordsPyFile_TypePyType_IsSubtypePyFile_AsFilefilenofdopenauparse_initPyExc_EnvironmentErrorPyErr_SetFromErrnoPyExc_IOErrorPyString_AsStringPyErr_SetFromErrnoWithFilenamePySequence_CheckPySequence_SizePyMem_MallocPySequence_GetItemPyObject_AsFileDescriptorPyExc_ValueErrorPyErr_SetStringPyErr_NoMemoryPyExc_TypeError__stack_chk_failPyArg_ParseTupleausearch_add_expressionfreeauparse_set_escape_modePyFunction_Typeauparse_add_callbackPy_BuildValuePyEval_CallObjectWithKeywordsPyInt_FromLongauparse_timestamp_compareauparse_interpret_sock_addressPyExc_RuntimeErrorauparse_interpret_sock_portauparse_interpret_sock_familyauparse_interpret_realpathauparse_interpret_fieldauparse_get_field_int__errno_locationauparse_get_field_typeauparse_get_field_strauparse_get_field_nameauparse_find_fieldauparse_find_field_nextauparse_get_record_textauparse_get_num_fieldsauparse_next_field_Py_TrueStruct_Py_ZeroStructauparse_first_fieldauparse_get_filenameauparse_get_line_numberauparse_get_type_namePyExc_LookupErrorauparse_get_typeauparse_goto_record_numauparse_next_recordauparse_first_recordauparse_get_num_recordsauparse_get_timestampauparse_normalize_keyauparse_normalize_howauparse_normalize_get_resultsauparse_normalize_object_kindauparse_normalize_object_next_attributeauparse_normalize_object_first_attributeauparse_normalize_object_secondaryauparse_normalize_object_primaryauparse_normalize_get_actionauparse_normalize_subject_kindauparse_normalize_subject_next_attributeauparse_normalize_subject_first_attributeauparse_normalize_subject_secondaryauparse_normalize_subject_primaryauparse_normalize_sessionauparse_normalize_get_event_kindauparse_normalizeauparse_next_eventausearch_next_eventausearch_clearausearch_set_stopausearch_add_regexausearch_add_timestamp_item_exausearch_add_timestamp_itemausearch_add_interpreted_itemausearch_add_itemauparse_resetauparse_feed_age_eventsauparse_feed_has_dataauparse_flush_feedauparse_feedPyString_FromStringlocaltimestrftime__snprintf_chkinitauparsePyType_ReadyPy_InitModule4_64PyModule_AddObjectPyErr_NewExceptionPyModule_AddIntConstantlibauparse.so.0libaudit.so.1libcap-ng.so.0libc.so.6_edata__bss_start_endauparse.soGLIBC_2.4GLIBC_2.2.5GLIBC_2.3.4q ii  ui  ti  X <` P<p p _r kr rr 0>   `   `> = l b @ r pb @ r b  r a  k pE  r( E8  @ rH paX ` ` rh 0Dx  r `  r _ ` s _  s @^  ;s ] ` Ls( \8  @ \sH \X  ` ish 0\x  {s [  s Z @ s Z  s Z  s Y  Hy( Y8  @ hyH XX  ` yh Xx  s W ` t  W  t V  y  V  y U  z(  U8  @  ?ȑ @Б Aؑ B C D E F H I J K L( M0 O8 P@ RH SP TX U` Vh Wp Xx Y Z \ ] ^ _ ` a b eȒ fВ gؒ h i j l mHHY HtH5Z %Z @%Z h% Z h%Z h%Y h%Y h%Y h%Y h%Y hp%Y h`%Y h P%Y h @%Y h 0%Y h %Y h %Y h%Y h%Y h%Y h%Y h%zY h%rY h%jY h%bY h%ZY hp%RY h`%JY hP%BY h@%:Y h0%2Y h %*Y h%"Y h%Y h%Y h % Y h!%Y h"%X h#%X h$%X h%%X h&%X h'p%X h(`%X h)P%X h*@%X h+0%X h, %X h-%X h.%X h/%X h0%X h1%X h2%zX h3%rX h4%jX h5%bX h6%ZX h7p%RX h8`%JX h9P%BX h:@%:X h;0%2X h< %*X h=%"X h>%X h?%X h@% X hA%X hB%W hC%W hD%W hE%W hF%W hGp%W hH`%W hIP%W hJ@%W hK0%W hL %W hM%W hN%W hO%W hP%W hQ%W hR%zW hS%rW hT%jW hU%bW hV%ZW hWp%RW hX`%JW hYP%BW hZ@%:W h[0%2W h\ %S f%T fHh H=Z UH)HHw]H|S Ht]@H1 H=* UH)HHHH?HHu]HS Ht]H@= u'H=S UHt H=Q eh] @f.H=P t&H?S HtUH=P H]WKf.SHGHHtH0HVHHHCHtH0HVHHt`HC HtHHQHHt8HC(HtHHQHHu H{(HGP0HCH[H@@H{ HGP0H{HGP0HHGP0hHH10HtH@HDf.HSHtWHWH*t%HCHtHHQHHtH[<@HHGP0H{HGP0H[@[@f.SHHHtHCH[H@f.AVAUIATIUHSH HHHQ dH%(HD$1D$ HH\$t)ID$LL$LD$ H H,1LHi|$ HT$ H5;HcH@HD$H5|P HxH9wH|$HHH54|$ HHID$1HL$dH3 %(H []A\A]A^DH9\$1HID$uHO H8룐H9\$u11|HID$uHO H8SmH|$HGMHH|$ H%HID$'H`O HH8DH|$H|$|HAxHcHHI11DCHA9H|$HHHHIDHmuHEHP0H|$VH#HƋ|$ 1HID$3wfDH|$>H|$HAxHcHHI"1fDCHA9`H|$HHHHIDHmuHEHP0H|$HcH HM H55H8Lf.HaM H5S)H8"[HHID|$ LHID$Lf.H55HL H8zHmu HEHP0LaH5!4HL H5(H8kfHHID|$ L5HID$PHxL H8zHAL H53H8H!L H5j5H8HHK H53H81WHK H52H8[HK H5k4H8;sHK H54H8UHK fSHHH5(H dH%(HD$1HL$HT$t{H{HtvL$Ht$HT$t;Ht$H'K HH8t7H|$1H\$dH3%(uAH [HK H{11H== H5.491SHHH5'HdH%(HD$1HT$1҅tH{t$aHJ HHHL$dH3 %(HuH[DSHHH5'&H dH%(HD$1HL$HT$?HD$H5#J H9pH{HHHT$HL$HPHHHHPHtHH{H I H5{HHI HH\$dH3%(uQH [fHQI H5h%H81fD1@CH= H521bfUHH=7%1SHHJHuH}H1HH HQHHt7HtHHSHHt H[]@HPHHR0H[]DHSHD$HR0HD$fSHG HHtHHC [fH@wHHC u[ff.SHGHHtHHC[f88HHCu[f.SHGHHtHHC[fH0HHCu[ff.H0H0SHHHt#Ht9H=%-HH1$@H= H501HfDHIG H5#H8HHHt#Ht9H=,HH1@H= H501HfDHF H5#H8jHHHt#Ht9H=E,HH1D@H=! H501HfDHiF H5"H8HHHt#Ht9H=+HH1@H= H5/1HfDHE H58"H8HHHt#Ht9H=e+HH1d@H=A H52/=1HfDHE H5!H8SHHt>uH="1[HaE H81[DH= H5.HHHt#H=6"H1f.H=q H5b.m1HfDHHHt#Ht9H=E*HH1D@H=! H5.1HfDHiD H5 H8HHHt#Ht9H=)HH1@H= H5-1HfDHC H5e H8SHHH5Z HdH%(HD$1HH$tZH{HtUH4$Ht+H=/)H12HL$dH3 %(uPH[@u(HC H1H=ݤ H5,1HVC H81}f.HHHtCHtH=(HH1@+u5HC HHDH=Q H5B,M1fHB H8Q1f.HHHt#Ht9H=(HH1@H= H5+1HfDHQB H8Df.HHHtCtH=2H1fDHB H81Hf.H=Q H5B+Mڐf.HHHt3tHA HHf.HQA HHH= H5*1fHHHt3tHcA HHf.H@ HHH= H5*1fHHHt3HtH=e&HH1d@H@ HHH=1 H5"*-1fHHHtCtH=H1fDHI@ H5H81HH= H5)f.HHHt#.Ht9H=%HH1@H=q H5b)m1HfDH@ H5XH8JHHHtCtH=H1&fDH? H5H81HH= H5(f.SHHH5aHdH%(HD$1HT$TtPH{HtKt$~~)H"? HHL$dH3 %(uLH[u)H> HӐ1H== H5.(91H> H8F1f.HHHt;~H> HHfu.H> HHfDH= H5'1ÐH1> H81f.HHHt;~H> HHfu.H= HHfDH=9 H5*'51ÐH= H8A1f.HHHtC.tH=H1fDH9= H5H81HH= H5&f.SHHtfHHt91H=0 Z HtHHP0HSHP8HSHP@HSHPH[@u5H< H[H=! H5&1[fH< H8!1[f.HHHt;~Hr< HHfu.H; HHfDH= H5%1ÐH; H81f.HHHt#.Ht9H=U!HH1T@H=1 H5"%-1HfDHy; H5-H8 HHHt;~H; HHfu.H; HHfDH= H5$1ÐH; H81f.HHHt#^Ht9H=e HH1d@H=A H52$=1HfDH: H5PH8HHHt;^~H: HHfu.H: HHfDH= H5#1ÐH: H81f.HHHt;n~H: HHfu.H9 HHfDH=9 H5*#51ÐH9 H8A1f.HHHt;N~H9 HHfu.H9 HHfDH= H5"1ÐH9 H81f.HHHt;~H9 HHfu.H8 HHfDH=9 H5*"51ÐH8 H8A1f.HHHt#Ht9H=HH1@H=љ H5!1HfDH8 H5H8HHHt#Ht9H=HH1@H=a H5R!]1HfDH7 H5H8:HHHt;.~H7 HHfu.H?7 HHfDH=٘ H5 1ÐH17 H81f.HHHt;~H27 HHfu.H6 HHfDH=Y H5J U1ÐH6 H8a1f.HHHt;~H6 HHfu.H?6 HHfDH=ٗ H51ÐH16 H81f.HHHt;~~H26 HHfu.H5 HHfDH=Y H5JU1ÐH5 H8a1f.HHHt;n~H5 HHfu.H?5 HHfDH=ٖ H51ÐH15 H81f.HHHt#Ht9H=HH1@H=q H5bm1HfDH4 H5H8JSHHH5HdH%(HD$1HT$tPH{HtKt$~~)H4 HHL$dH3 %(uLH[u)H4 HӐ1H= H51H4 H81Mf.HHHt;.~H4 HHfu.H3 HHfDH=) H5%1ÐH3 H811f.HHHt;~H3 HHfu.H3 HHfDH= H51ÐH!3 H81f.HHHtH2 HHfDH=I H5:E1ސSHHH5HdH%(HD$1HT$t@H{HtRt$Nu2H2 HHL$dH3 %(uAH[f1@H)2 H81H= H51YfSHHH5HdH%(HD$1Ht:H{HtLH4$Pu,H1 HHL$dH3 %(u;H[1@H1 H811H= H51SHHH@Ht$$HL$0HT$(dH%(HD$81H4$LL$ LD$H5F\tPH{HtbDL$$DD$ L$HT$0Ht$(u.H1 HH\$8dH3%(u=H@[D1@H0 H8a1H=. H5*1SHHH5 H dH%(HD$1HL$HT$LL$ItKH{Ht]DD$ $HT$Ht$u/HP0 HH\$dH3%(u>H [fD1@H0 H81H=n H5_j1!SHHH5 H0dH%(HD$(1HL$HT$LL$ LD$ tQH{HtcDD$ HL$ HT$Ht$u3H/ HH\$(dH3%(uBH0[f.1@HI/ H81H= H51YfSHHH5# H0dH%(HD$(1HL$HT$LL$ LD$ tQH{HtcDD$ HL$ HT$Ht$u3H. HH\$(dH3%(uBH0[f.1@Hy. H8 1H=֏ H51fHHHt;uH;. HHf.H. H81DH=i H5Ze1HHHtH- HHfDH=) H5%1ސHHHt3tH- HHf.H1- HHH=ю H51fHHHt;uH;- HHf.H- H81DH=i H5Ze1SHHH5 H dH%(HD$1HL$ HT$tCH{HtUHcT$ Ht$su/H, HH\$dH3%(u>H [fD1@Ha, H81H= H51qSHHHHtHC(HtHHC([H!, H[kHHC(u[ATUSHpLgHHo@dH%(HD$h1HG0_8H|$(D$Xst=%D$^HD$(H%a %b %dHD$0H %H:%M:%HD$8HS.%%ld %HD$@HY serialHD$HH=%%ld hoHD$P%sfD$\hHHT$0H= HHtaL H=ӊ HD$Ld$H,$Aٹ1H= \HL$hdH3 %(u`Hp[]A\Hstrftime| d 0He H returneH\ fHlocaltimH? He errorH6 SH= #H=} oH- H5Ɋ H=`1AHHHB} H5 HH0} H$ H58HH H= 11-HH5HHH- H51HH5HߺH5HߺwH5HߺcH5HߺOH5Hߺ;H5Hߺ'H5HߺH51HH5HߺH5HߺH5HߺH5HߺH5HߺH5HߺH5HߺvH5HߺbH5Hߺ@NH51H=H5Hߺ)H5HߺH51HH5HߺH51HH5HߺH5HߺH5HߺH51HH51HH5HߺmH5HߺYH5HߺEH5Hߺ1H5HߺH5Hߺ H5HߺH5HߺH5Hߺ H5Hߺ H5Hߺ H5Hߺ H5Hߺ }H5HߺiH5HߺUH5HߺAH5Hߺ-H5HߺH5HߺH5HߺH5HߺH5HߺH5HߺH5HߺH5HߺH5HߺyH5HߺeH5HߺQH5Hߺ=H5Hߺ)H5Hߺ H5Hߺ!H5Hߺ"H5Hߺ#H5Hߺ%H5Hߺ&H5Hߺ'H5Hߺ(H5H1xH5HߺdH5HߺPHH5[;[HH|iOTODOInvalid source typeO|O:add_callbackcallback must be a functionOiO'interpretation' is NULL'field str' is NULL'field name' is NULLs:find_fieldNo line numberINot foundNo records'how' has no value'object_kind' has no value'action' has no value'subject_kind' has no value'event_kind' has no valuesLiiiisLiisssis#:feedauparseauparse.NoParserAUSOURCE_LOGSAUSOURCE_FILEAUSOURCE_FILE_ARRAYAUSOURCE_BUFFERAUSOURCE_BUFFER_ARRAYAUSOURCE_DESCRIPTORAUSOURCE_FILE_POINTERAUSOURCE_FEEDAUSEARCH_UNSETAUSEARCH_EXISTSAUSEARCH_EQUALAUSEARCH_NOT_EQUALAUSEARCH_TIME_LTAUSEARCH_TIME_LEAUSEARCH_TIME_GEAUSEARCH_TIME_GTAUSEARCH_TIME_EQAUSEARCH_INTERPRETEDAUSEARCH_STOP_EVENTAUSEARCH_STOP_RECORDAUSEARCH_STOP_FIELDNORM_OPT_ALLNORM_OPT_NO_ATTRSAUSEARCH_RULE_CLEARAUSEARCH_RULE_ORAUSEARCH_RULE_ANDAUSEARCH_RULE_REGEXAUPARSE_CB_EVENT_READYAUPARSE_TYPE_UNCLASSIFIEDAUPARSE_TYPE_UIDAUPARSE_TYPE_GIDAUPARSE_TYPE_SYSCALLAUPARSE_TYPE_ARCHAUPARSE_TYPE_EXITAUPARSE_TYPE_ESCAPEDAUPARSE_TYPE_PERMAUPARSE_TYPE_MODEAUPARSE_TYPE_SOCKADDRAUPARSE_TYPE_FLAGSAUPARSE_TYPE_PROMISCAUPARSE_TYPE_CAPABILITYAUPARSE_TYPE_SUCCESSAUPARSE_TYPE_A0AUPARSE_TYPE_A1AUPARSE_TYPE_A2AUPARSE_TYPE_SIGNALAUPARSE_TYPE_LISTAUPARSE_TYPE_TTY_DATAAUPARSE_TYPE_SESSIONAUPARSE_TYPE_CAP_BITMAPAUPARSE_TYPE_NFPROTOAUPARSE_TYPE_ICMPTYPEAUPARSE_TYPE_PROTOCOLAUPARSE_TYPE_ADDRAUPARSE_TYPE_PERSONALITYAUPARSE_TYPE_SECCOMPAUPARSE_TYPE_OFLAGAUPARSE_TYPE_MMAPAUPARSE_TYPE_MODE_SHORTAUPARSE_TYPE_MAC_LABELAUPARSE_TYPE_PROCTITLEAUPARSE_TYPE_HOOKAUPARSE_TYPE_NETACTIONAUPARSE_TYPE_IOCTL_REQAUPARSE_TYPE_ESCAPED_KEYAUPARSE_TYPE_ESCAPED_FILEAUPARSE_TYPE_FANOTIFYAUPARSE_ESC_RAWAUPARSE_ESC_TTYAUPARSE_ESC_SHELLAUPARSE_ESC_SHELL_QUOTEsource_typesourceauparse.AuParserflush_feedfeed_has_datafeed_age_eventsset_escape_moderesetsearch_add_expressionsearch_add_itemsearch_add_interpreted_itemsearch_add_timestamp_itemsearch_add_timestamp_item_exsearch_add_regexsearch_set_stopsearch_clearsearch_next_eventparse_next_eventaup_normalizeaup_normalize_get_event_kindaup_normalize_sessionaup_normalize_subject_primaryaup_normalize_subject_kindaup_normalize_get_actionaup_normalize_object_primaryaup_normalize_object_kindaup_normalize_get_resultsaup_normalize_howaup_normalize_keyget_timestampget_num_recordsfirst_recordnext_recordgoto_record_numget_typeget_type_nameget_line_numberget_filenamefirst_fieldnext_fieldget_num_fieldsget_record_textfind_field_nextget_field_nameget_field_strget_field_typeget_field_intinterpret_fieldinterpret_realpathinterpret_sock_familyinterpret_sock_portinterpret_sock_addressauparse.AuEventsecEvent secondsmillimillisecond of the timestampserialSerial number of the eventhostMachine's namesource must be None or not passed as a parameter when source_type is AUSOURCE_LOGSsource must be a string when source_type is AUSOURCE_FILEmembers of source sequence must be a string when source_type is AUSOURCE_FILE_ARRAYsource must be a sequence when source_type is AUSOURCE_FILE_ARRAYmembers of source sequence must be a string when source_type is AUSOURCE_BUFFER_ARRAYsource must be resolvable to a file descriptor when source_type is AUSOURCE_DESCRIPTORsource must be a file object when source_type is AUSOURCE_FILE_POINTERsource must be open file when source_type is AUSOURCE_FILE_POINTERsource must be None when source_type is AUSOURCE_FEEDobject has no parser associated with itaup_normalize_subject_secondaryaup_normalize_subject_first_attributeaup_normalize_subject_next_attributeaup_normalize_object_secondaryaup_normalize_object_first_attributeaup_normalize_object_next_attribute@ p;LHhHxX(H(XHhh 8Hhh880Php8X8XHxxh(XHhXH8 ( 8H h 8 h h 0 XX X ( @ ` ( 8 x ( zRx $8FJ w?;*3$"DAz M d!GY$|bDk I _ I A#AYDBBE D(D0DP 0A(A BBBF $ AQ0| AA $40kAQ R AA $\xAQ0 AC 4pAMD0G AAE O AAG 4AU J S3AU J R4AU J S( 4 hDa K Y G TphDa K Y G thDa K Y G hDa K Y G `hDa K Y G $]Ag H R F JD[ Q YhDa K Y G <hhDa K Y G $\AQ ` AE `Da K Z F aDa K Y G  eD_ M U K pWDa K O A WDa K O A $WDa K O A D0eD_ M \ D dhDa K Y G eD_ M \ D $ AQ T AI sDb J Q G sDb J Q G  xeD_ M \ D ,,AJ E W I V J R\HsDb J Q G |hDa K Y G sDb J Q G XhDa K Y G sDb J Q G sDb J Q G hsDb J Q G <sDb J Q G \(hDa K Y G |xhDa K Y G sDb J Q G (sDb J Q G sDb J Q G sDb J Q G HsDb J Q G <hDa K Y G $\AQ T AI sDb J Q G sDb J Q G P?D] G $pAQ S AJ $ AQ Q AD $4pAJP AF $\AQ0n AG $AQ@r AK $XAQ@r AK _Da K @?D] G  `WDa K O A 4 _Da K $T AQ0^ AG $| h@A^ A L D O4 yBAA D  AABD $ :A/ H A<P<p D T b q  5 |kX ` o( 0  - oooox 66&666F6V6f6v66666666677&767F7V7f7v77777777788&868F8V8f8v88888888899&969F9V9f9v999999999::&:6:F:V:f:v:::::::::;;&;6;F;V;f;v;;;;;;Parsing library for audit messages. The module defines the following exceptions: NoParser: Raised if the underlying C code parser is not bound to the AuParser object. AuParser(source_type, source) Construct a new audit parser object and bind it to input data. source_type: one of the AUSOURCE_* constants. source: the input data, dependent on the source_type as follows: AUSOURCE_LOGS: None (system log files will be parsed) AUSOURCE_FILE: string containing file path name AUSOURCE_FILE_ARRAY: list or tuple of strings each containing a file path name AUSOURCE_BUFFER: string containing audit data to parse AUSOURCE_BUFFER_ARRAY: list or tuple of strings each containing audit data to parse AUSOURCE_DESCRIPTOR: integer file descriptor (e.g. fileno) AUSOURCE_FILE_POINTER: file object (e.g. types.FileType) AUSOURCE_FEED: None (data supplied via feed() interpret_sock_address() Return an interpretation of the current field's socket address. Only supported on sockaddr field types. If the field cannot be interpreted the field is returned unmodified. Raises exception (RuntimeError) on error interpret_sock_address() Return an interpretation of the current field's socket port. Only supported on sockaddr field types. If the field cannot be interpreted the field is returned unmodified. Raises exception (RuntimeError) on error interpret_sock_family() Return an interpretation of the current field's socket family. Only supported on sockaddr field types. If the field cannot be interpreted the field is returned unmodified. Raises exception (RuntimeError) on error interpret_realpath() Return an interpretation of the current field as a realpath string that has the chosen character escaping applied. If the field cannot be interpreted the field is returned unmodified. Raises exception (RuntimeError) on error interpret_field() Return an interpretation of the current field as a string that has the chosen character escaping applied. If the field cannot be interpreted the field is returned unmodified. Raises exception (RuntimeError) on error get_field_int() Get current field’s value as an integer. get_field_int() allows access to the value as an int of the current field of the current record in the current event. Returns field's numeric value. Raises exception (EnvironmentError) on error get_field_type() Get current field’s data type value. get_field_type() returns a value from the auparse_type_t enum that describes the kind of data in the current field of the current record in the current event. Returns AUPARSE_TYPE_UNCLASSIFIED if the field’s data type has no known description or is an integer. Otherwise it returns another enum. Fields with the type AUPARSE_TYPE_ESCAPED must be interpreted to access their value since those field’s raw value is encoded. get_field_str() get current field’s value get_field_str() allows access to the value in the current field of the current record in the current event. Returns String. Raises exception (RuntimeError) on error get_field_name() Get current field’s name. get_field_name() allows access to the current field name of the current record in the current event. Returns None if the field value is unavailable. Returns String. Raises exception (RuntimeError) on error find_field_next() Get next occurrence of field name find_field_next() returns the value associated next occurrence of field name. Returns value associated with field or None if there is no next field. Raises exception (EnvironmentError) on error. find_field(name) Search for field name. find_field() will scan all records in an event to find the first occurrence of the field name passed to it. Searching begins from the cursor’s current position. The field name is stored for subsequent searching. Returns value associated with field or None if not found. get_record_text() Return unparsed record data get_record_text() returns the full unparsed record. Raises exception (EnvironmentError) on error. get_num_fields() Get the number of fields. Returns the number of fields in the current event. Raises exception (EnvironmentError) on error. next_field() Advance the field cursor. next_field() moves the library’s internal cursor to point to the next field in the current record of the current event. Returns True on success, False if there is no more fields exist first_field() Reposition field cursor. Returns True on success, False if there is no event data auparse_get_filename() get the filename where record was found get_filename() will return the name of the source file where the record was found if the source type is AUSOURCE_FILE or AUSOURCE_FILE_ARRAY. For other source types the return value will be None. auparse_get_line_number() get line number where record was found get_line_number will return the source input line number for the current record of the current event. Line numbers start at 1. If the source input type is AUSOURCE_FILE_ARRAY the line numbering will reset back to 1 each time a new life in the file array is opened. Raises exception (RuntimeError) on error. get_type_name() Get current record’s type name. get_type_name() allows access to the current record type name in the current event. Raises exception (LookupError) on error. get_type() Get record’s type. get_type() will return the integer value for the current record of the current event. Returns record type. Raises exception (LookupError) on error. goto_record_num() Move record cursor to specific position. goto_record_num() will move the internal library cursors to point to a specific physical record number. Records within the same event are numbered starting from 0. This is generally not needed but there are some cases where one may want precise control over the exact record being looked at. Returns True on success, False if no more records in current event Raises exception (EnvironmentError) on error. next_record() Advance record cursor. next_record() will move the internal library cursors to point to the next record of the current event. Returns True on success, False if no more records in current event Raises exception (EnvironmentError) on error. first_record() Reposition record cursor. first_record() repositions the internal cursors of the parsing library to point to the first record in the current event. Return True for success, False if there is no event data. Raises exception (EnvironmentError) on error. get_num_records() Get the number of records. Returns the number of records in the current event. Raises exception (RuntimeError) on error. get_timestamp() Return current event's timestamp. Returns the current event's timestamp info as an AuEvent object. No Return value, raises exception (EnvironmentError) on error. aup_normalize_key() This function positions the internal cursor on the key field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_how() This returns a string that indicates the how the object is being accessed. This is usually a program. Raises exception (RuntimeError) on error aup_normalize_subject_primary() This function positions the internal cursor on the results field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_object_kind() This returns a string that indicates the kind of thing the object is. Raises exception (RuntimeError) on error aup_normalize_object_next_attribute() This function positions the internal cursor on the next object's attribute field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_object_first_attribute() This function positions the internal cursor on the object's first attribute field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_object_secondary() This function positions the internal cursor on the object's secondary field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_object_primary() This function positions the internal cursor on the object's field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_get_action() This returns a string that indicates the subject's action. Raises exception (RuntimeError) on error aup_normalize_subject_kind() This returns a string that indicates the kind of account the subject is. Raises exception (RuntimeError) on error aup_normalize_subject_next_attribute() This function positions the internal cursor on the next subject's attribute field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_subject_first_attribute() This function positions the internal cursor on the subject's first attribute field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_subject_secondary() This function positions the internal cursor on the subject's secondary field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_subject_primary() This function positions the internal cursor on the subject's field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_session() This function positions the internal cursor on the session's field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_get_event_kind() This returns a string that indicates what kind of event this is. Raises exception (RuntimeError) on error aup_normalize(opt) Normalize the audit event for uniform access to fields. aup_normalize() takes an argument to decide if it should also gather subject and object attributes. The possible values are: NORM_OPT_ALL: This means include subject and object attributes NORM_OPT_NO_ATTRS: This means do not gather subject and object attributes Returns True on success Returns False if uninitialized Raises exception (ValueError) on error parse_next_event() Advance the parser to the next event. parse_next_event() will position the cursors at the first field of the first record of the next event in a file or buffer. It does not skip events or honor any search criteria that may be stored. Returns True if parser advances to next event. Returns False if there are no more events to parse Raises exception (EnvironmentError) on error search_next_event() Find the next event that meets search criteria. search_next_event() will scan the input source and evaluate whether any record in an event contains the data being searched for. Evaluation is done at the record level. Returns True if a match was found Returns False if a match was not found. Raises exception (EnvironmentError) on error search_clear() Clear search parameters. ausearch_clear clears any search parameters stored in the parser instance and frees memory associated with it. No Return value. search_set_stop(where) Set where cursor is positioned on search match. search_set_stop() determines where the internal cursor will stop when a search condition is met. The possible values are: AUSEARCH_STOP_EVENT: This one repositions the cursors to the first field of the first record of the event containing the items searched for. AUSEARCH_STOP_RECORD: This one repositions the cursors to the first field of the record containing the items searched for. AUSEARCH_STOP_FIELD: This one simply stops on the current field when the evaluation of the rules becomes true. No Return value, raises exception (ValueError) on error. search_add_regex(regexp) Add a regular expression to the search criteria. No Return value, raises exception (EnvironmentError) on error. search_add_timestamp_item_ex(op, sec, milli, serial, how) Build up search rule search_add_timestamp_item_ex adds an event time condition to the current audit search expression. Its similar to search_add_timestamp_item except it adds the event serial number. search_add_timestamp_item(op, sec, milli, how) Build up search rule search_add_timestamp_item adds an event time condition to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The op parameter specifies the desired comparison. Legal op values are "<", "<=", ">=", ">" and "=". The left operand of the comparison operator is the timestamp of the examined event, the right operand is specified by the sec and milli parameters. The how parameter determines how this search expression will affect the existing search expression, if one is already defined. The possible values are: AUSEARCH_RULE_CLEAR: Clear the current search expression, if any, and use only this search expression. AUSEARCH_RULE_OR: If a search expression E is already configured, replace it by (E || this_search_expression). AUSEARCH_RULE_AND: If a search expression E is already configured, replace it by (E && this_search_expression). No Return value, raises exception (EnvironmentError) on error. search_add_interpreted_item(field, op, value, how) Build up search rule search_add_interpreted_item() adds one search condition to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The field value is the field name that the value will be checked for. The op variable describes what kind of check is to be done. Legal op values are: 'exists': Just check that a field name exists '=': locate the field name and check that the value associated with it is equal to the value given in this rule. '!=': locate the field name and check that the value associated with it is NOT equal to the value given in this rule. The value parameter is compared to the interpreted field value (the value that would be returned by AuParser.interpret_field). The how parameter determines how this search expression will affect the existing search expression, if one is already defined. The possible values are: AUSEARCH_RULE_CLEAR: Clear the current search expression, if any, and use only this search expression. AUSEARCH_RULE_OR: If a search expression E is already configured, replace it by (E || this_search_expression). AUSEARCH_RULE_AND: If a search expression E is already configured, replace it by (E && this_search_expression). No Return value, raises exception (EnvironmentError) on error. search_add_item(field, op, value, how) Build up search rule search_add_item() adds one search condition to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The field value is the field name that the value will be checked for. The op variable describes what kind of check is to be done. Legal op values are: 'exists': Just check that a field name exists '=': locate the field name and check that the value associated with it is equal to the value given in this rule. '!=': locate the field name and check that the value associated with it is NOT equal to the value given in this rule. The value parameter is compared to the uninterpreted field value. The how parameter determines how this search expression will affect the existing search expression, if one is already defined. The possible values are: AUSEARCH_RULE_CLEAR: Clear the current search expression, if any, and use only this search expression. AUSEARCH_RULE_OR: If a search expression E is already configured, replace it by (E || this_search_expression). AUSEARCH_RULE_AND: If a search expression E is already configured, replace it by (E && this_search_expression). No Return value, raises exception (EnvironmentError) on error. search_add_expression(expression, how) Build up search expression ausearch_add_item adds an expression to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The expression parameter contains an expression, as specified in ausearch-expression(5). The how parameter determines how this search expression will affect the existing search expression, if one is already defined. The possible values are: AUSEARCH_RULE_CLEAR: Clear the current search expression, if any, and use only this search expression. AUSEARCH_RULE_OR: If a search expression E is already configured, replace it by (E || this_search_expression). AUSEARCH_RULE_AND: If a search expression E is already configured, replace it by (E && this_search_expression). No Return value, raises exception (EnvironmentError) on error. reset() Reset audit parser instance reset resets all internal cursors to the beginning. It closes files and descriptors. Returns None. Raises exception (EnvironmentError) on error set_escape_mode(mode) Set audit parser escaping This function sets the character escaping applied to value fields in the audit record. Returns None. add_callback(callback, user_data) add a callback handler for notifications. auparse_add_callback adds a callback function to the parse state which is invoked to notify the application of parsing events. The signature of the callback is: callback(au, cb_event_type,user_data) When the callback is invoked it is passed: au: the AuParser object cb_event_type: enumerated value indicating the reason why the callback was invoked user_data: user supplied private data The cb_event_type argument indicates why the callback was invoked. It's possible values are: AUPARSE_CB_EVENT_READY A complete event has been parsed and is ready to be examined. This is logically equivalent to the parse state immediately following auparse_next_event() Returns None. Raises exception (EnvironmentError) on error feed_age_events() age events by the clock feed_age_events() should be called to timeout events by the clock. Any newly complete events will be sent to the callback function. Returns None. feed_has_data() determines if there are any records that are accumulating but not yet ready to emit. Returns True if data left and false otherwise. flush_feed() flush any unconsumed feed data through parser flush_feed() should be called to signal the end of feed input data and flush any pending parse data through the parsing system. Returns None. Raises exception (EnvironmentError) on error feed(data) supplies new data for the parser to consume. AuParser() must have been called with a source type of AUSOURCE_FEED. The parser consumes as much data as it can invoking a user supplied callback specified with add_callback() with a cb_event_type of AUPARSE_CB_EVENT_READY each time the parser recognizes a complete event in the data stream. Data not fully parsed will persist and be prepended to the next feed data. After all data has been feed to the parser flush_feed() should be called to signal the end of input data and flush any pending parse data through the parsing system. Returns None. Raises exception (EnvironmentError) on error An internal object which encapsulates the timestamp, serial number and host information of an audit event. The object cannot be instantiated from python code, rather it is returned from the audit parsing API._rkrrr0> ` `>=lb@ rpb@ rb ra kpE rE rpa` r0D r` r_` s_ s@^ ;s]` Ls\ \s\ is0\ {s[ sZ@ sZ sZ sY HyY hyX yX sW` t W tV y V yU z U cK| Wq"1ћ085d1,޻\sZ}D,7zw:NU+d". &eYtǻɓ>OY?vCo@NnEsSb1fh'#\,bwٔPmxMѝf` oLrHhafѿ2J~II=ɷ.>KOfP)S Z,׀lSoiP^dcSyt~J}SĪH$ގH}d4X,|*=U]5OwqB2_cۢZg0G!2ҐC UV5;D֨𯹳INAzD3sswd_gR0o1Ȋ߅ƋR(;Ϭӟe ͯ2 f*_,k;&&{srxh l`XXehK۫UZ-K`m/J\*}fp>&_7X=ˋ늶K74{snY7sBܤ<7U^<7fH؃.4^-2Z\j%$7B&5;NJbV7ϘɁo壑ʝ{E9w?T"G /T>w/8u`܄(F絺{2FBjKt0u%[yL+䙿2Z嬪H[IXDXq<5l6==@h1~O6rhNDg.ǂ/ \[̣;,VFR <sSY5!'=*(:>BB#-4NئsWOt_T:M6VnǒauFFdYȳboT*Ѓ?W\-a`RFNfX`5Io(^R!f 7Vh>-xRUh2SkڽȠTB5R5U K6WsA}OO :u U ~*?$wϳ8f '@%hŲ!^%?OV߃w{(ߟ )I[M8t -rp#(id=-6iE%j-BT0h%' EzgN_udۘ&H="īDh]g䱌=eWh3ltsخX3n'2o!Yf