I 'll use auparse_reset() but from the description it's not clear if it will reset the curson to the beginning to the current record ? https://github.com/linux-audit/audit-userspace/blob/4e6deae41d4646d28bb3ba9524a8a227a38ccd0b/docs/auparse_reset.3#L11
150 static void handle_event(auparse_state_t *au, 151 auparse_cb_event_t cb_event_type, void *user_data) 152 { 153 int type, num = 0; 154 const char *perm; 155 while (auparse_goto_record_num(au, num) > 0) { 156 type = auparse_get_type(au); 157 158 switch (type) { 159 case AUDIT_AVC: 160 case AUDIT_USER_AVC: 161 perm = auparse_find_field(au, "permissive"); 162 auparse_reset(au); 163 if (perm) { 164 if (*perm == '0') { 165 dump_avc_critical_record(au); 166 } 167 else if (*perm == '1') { 168 dump_avc_info_record(au); 169 } 170 } 171 else { 172 dump_avc_info_record(au); 173 } 174 break; 175 default: 176 dump_whole_record(au); 177 break; 178 } 179 num ++; 180 } 181 } _______________________________________________ Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io