ELF>L@%@8 @@:@:@@@-A-Adrdr     $$Std Ptd```QtdRtd GNUGNUپqQ~אidt(tvtf3+˭|Xova   Fd0P`U~n{b C 7m ;A  1  e + W V@~/n ;D (T  s ;,  KF"X QW  z} tD__gmon_start___ITM_deregisterTMCloneTable_ITM_registerTMCloneTable__cxa_finalize_Py_Deallocauparse_timestamp_compare_Py_NotImplementedStruct_Py_TrueStruct_Py_FalseStructPyLong_FromLongPyUnicode_FromString_Py_NoneStructlocaltimestrftime__snprintf_chk__stack_chk_failcallback_data_destroyPyMem_Free_Py_BuildValue_SizeTPyEval_CallObjectWithKeywordsauparse_destroy_PyArg_ParseTuple_SizeTauparse_feedPyExc_EnvironmentErrorPyErr_SetFromErrnoPyErr_SetStringauparse_feed_age_eventsauparse_flush_feedauparse_feed_has_dataauparse_feed_has_ready_eventPyFunction_TypePyMem_Mallocauparse_add_callbackPyExc_ValueErrorPyErr_NoMemoryauparse_set_escape_modeauparse_set_eoe_timeoutauparse_resetauparse_metricsfreePyExc_RuntimeErrorausearch_add_expressionausearch_add_itemausearch_add_interpreted_itemausearch_add_timestamp_itemausearch_add_timestamp_item_exausearch_add_regexausearch_set_stopausearch_clearausearch_next_eventauparse_next_eventauparse_normalizeauparse_normalize_get_event_kindauparse_normalize_sessionauparse_normalize_subject_primaryauparse_normalize_subject_secondaryauparse_normalize_subject_first_attributeauparse_normalize_subject_next_attributeauparse_normalize_subject_kindauparse_normalize_get_actionauparse_normalize_object_primaryauparse_normalize_object_secondaryauparse_normalize_object_first_attributeauparse_normalize_object_next_attributeauparse_normalize_object_kindauparse_normalize_get_resultsauparse_normalize_howauparse_normalize_keyauparse_get_timestamp__errno_locationauparse_get_num_recordsauparse_first_recordauparse_next_recordauparse_get_record_numauparse_goto_record_numauparse_get_typePyExc_LookupErrorauparse_get_type_nameauparse_get_line_numberauparse_get_filenameauparse_first_fieldauparse_next_fieldauparse_get_num_fieldsauparse_get_record_textauparse_find_fieldauparse_find_field_nextauparse_get_field_numauparse_goto_field_numauparse_get_field_nameauparse_get_field_strauparse_get_field_typeauparse_get_field_intauparse_interpret_fieldauparse_interpret_realpathauparse_interpret_sock_familyauparse_interpret_sock_portauparse_interpret_sock_addressPyFile_CheckPyImport_ImportModulePyObject_GetAttrStringPyObject_IsInstance_PyArg_ParseTupleAndKeywords_SizeTPyObject_AsFileDescriptorfdopenauparse_initPySequence_CheckPySequence_SizePySequence_GetItemPyUnicode_AsUTF8PyExc_IOErrorPyErr_SetFromErrnoWithFilenamePyExc_TypeErrorPyInit_auparsePyType_ReadyPyModule_Create2PyModule_AddObjectPyErr_NewExceptionPyModule_AddIntConstantlibauparse.so.0libaudit.so.1libcap-ng.so.0libc.so.6auparse.soGLIBC_2.4GLIBC_2.2.5GLIBC_2.3.4: ii O ui Y ti e M`M   R  U( @S8 @ `H SX  ` nh Tx   R   pT   U   0V `!!V! !(!W8!@!H!WX!`!חh!Xx!`!!Y!!!`Z!!!@[!!:!0\!"K"\" "[("]8"@"hH"^X"@`"zh"^x"""_"""_"@""@`"`"̘"`"##@a# #(#a8#@#H#@bX#`#h#bx###0c#`##c### d##0#d#$X$ e$ $;($e8$@$UH$fX$ `$oh$fx$`$$g$$$g$$$0h$@$$h$ %% i% %ʙ(%i8%@@%ٙH%jX%``%h%jx%%%Pk%%%k%`%%0l%@%%l%&)&l& &4(&Pm8& @&CH&mX&`&Sh& ox&&c&o&&q&p&&&0n&&&p&''Pq' '('q8'@'H'rX'`'h'rx''ʚ'r''ݚ'`s'''s'''@t' (((N8("H(0P( O`(6p(Sx(`O(Z(u(O(z()@)-))Q0*`h* p*`-x* -*u*M8+P+M+O+@+pN,-,-, (,,!$*+t;<=?ISVhipPX`hpx     v (08@H P"X#`%h&p'x(),-./0123456789:>@AB C(D0E8F@GHHPJXK`LhMpNxOPQRTUWXYZ[\]^_`abcde f(g0j8k@lHmPnXo`phqprxsHHHtH5%hhhhhhhhqhah Qh Ah 1h !h hhhhhhhhhhqhahQhAh1h!hhhh h!h"h#h$h%h&h'qh(ah)Qh*Ah+1h,!h-h.h/h0h1h2h3h4h5h6h7qh8ah9Qh:Ah;1h<!h=h>h?h@hAhBhChDhEhFhGqhHahIQhJAhK1hL!hMhNhOhPhQhRhShThUhVhWqhXahYQhZAh[1h\!h]h^h_h`hahbhchdhe%D%D%D%D%D%D%D%}D%uD%mD%eD%]D%UD%MD%ED%=D%5D%-D%%D%D%D% D%D%D%D%D%D%D%D%D%D%D%D%D%D%D%D%D%D%}D%uD%mD%eD%]D%UD%MD%ED%=D%5D%-D%%D%D%D% D%D%D%D%D%D%D%D%D%D%D%D%D%D%D%D%D%D%}D%uD%mD%eD%]D%UD%MD%ED%=D%5D%-D%%D%D%D% D%D%D%D%D%D%D%D%D%D%D%D%D%D%D%D%DH=HH9tHvHt H=H5H)HH?HHHtHHtfD=uu+UH=Ht H=)dM]wH10HtH@Hff.UHHHtH/tIH}HtH/tJH} HtH/tKH}(HtH/tHEH]H@ fffSH0H0LttBt&HH[ÐuH-H[xHH[~HHGHt HfDSHH0HCHtH[ff.HGHt HfDSH8LHCHtH[ff.fHG Ht HfDSHH@ HC HtH[ff.SHHHHtHC(HtH[HC(Hu[HH[AUATUSHXfo*LgHdH%(HD$H1HG0Ho@D$>)D$fo _8H|$HD$H=%%ld hoHD$0%sD$8st=%fD$<)D$ HL-HHT$LHtZHAMh1ATH=QUKH HD$HdH+%(uHHXH=,[]A\A]fohd 0)Dfo8)f.Ht'UHHH/t!H}HtH/t*H]qH}HufATH=s>1USHHJH3H{1HH]HmItMtI,$t[]A\fHxfD[L]A\d@UHHHtzHEH]H@fSHHH5=H0dH%(HD$(1HL$HT$ t_HCHt^HT$Ht$ Hu(HQHHT$(dH+%(uLH0[HH8A1D1@H=9H5HHD$HD$ff.HHGHtHgHHHH=H5HHD$HD$ՐHHGHt?HuHlHHHAH8q1Hf.H=iH5*HHD$8HD$빐HHGHt/H'tHHHHHHH= H5GHD$HD$ɐHHGHt/HwtHHHHyHHH=H5jGHD$xHD$ɐUHHH5;SH8dH%(HD$(1HL$HT$ HD$HD$ HH9XHEHHHHL$ HH(HHHD$HtCHBH}H5dHH H`HHHT$(dH+%(uhH8[]fH\$HfD1@H)H5:H8b1fD먐H=iH5*FHD$8HD$ff.SHHH5:HdH%(HD$1HT$A1EtH{t$YHHHT$dH+%(uH[sHHH5:dH%(HD$1HT$A1EtHc|$@HYHHT$dH+%(uH ff.HHGHt?HuH HHHH81Hf.H= H5DHD$HD$빐ATUHLgMtHD$HD$ff.SHHH5U3H dH%(HD$1HT$PtTHCHtSt$Hu#HHHT$dH+%(uGH [fH1H81D1@H=yH5:>HD$HHD$ff.HHGHtHHHHH=H5=HD$HD$ՐHHGHtOHu!HHHÐHHHHqH81Hf.H=H5Z=HD$hHD$뫐HHGHtOHu!HHHÐH!HHHH8!1Hf.H=H5<HD$HD$뫐SHHH5E1H dH%(HD$1HT$@tLHCHtct$Hw#u9HjHHT$dH+%(uUH [HaH1@H H8Y1DH=YH5<HD$(HD$ff.HHHtHt5HH=71H0H=H5;1HfDHiH520H8HHGHtOHu!HZHHÐHaHHHH8a1Hf.H=YH5;HD$(HD$뫐HHGHtOHu!HھHHÐHHHHH81Hf.H=H5:HD$HD$뫐HHGHtOHu!HZHHÐHaHHHH8a1Hf.H=YH5:HD$(HD$뫐HHGHtOHu!HڽHHÐHHHHH81Hf.H=H59HD$HD$뫐HHGHtOHu!HZHHÐHaHHHH8a1Hf.H=YH59HD$(HD$뫐HHHtjHt5HH=41H@H= H581HfDHyH5\-H8HHHtZHt5HH=j41HH=H5Z8m1HfDH H5-H8JHHGHtOH7u!HHHÐHHHHH81Hf.H=H57HD$HD$뫐HHGHtOHGu!HzHHÐHHHH1H81Hf.H=yH5:7HD$HHD$뫐HHGHtOHu!HHHÐHHHHH81Hf.H=H56HD$HD$뫐HHGHtOHu!HzHHÐHHHH1H81Hf.H=yH5:6HD$HHD$뫐HHHtZHt5HH=11H`H=)H551HfDHH5*H8HHGHtOHwu!HHHÐHHHHAH81Hf.H=H5J5HD$XHD$뫐HHHtZHt5HH= 11HpH=9H54 1HfDHH5)H8HHGHtOHu!HHHÐHHHHQH81Hf.H=H5Z4HD$hHD$뫐SHHGHt^HHHt.1H=uHto@0oKH@H[u5HHH[@H= H53HD$HD$븐HH81ff.fHHHt?ƅtH=(1HfH)H5l(H8j1HH=yH5:3Mff.HHGHtOHu!HHHÐHHHHѶH81Hf.H=H52HD$HD$뫐HHGHtOHu!HzHHÐHHHHQH81Hf.H=yH5:2HD$HHD$뫐HHHt?*ƅtH=3'1HbfHH5'H81HH= H51ff.SHHH55&H dH%(HD$1HT$0tLHCHtct$HW#u9HZHHT$dH+%(uUH [HQH1@HH8I1DH=IH5 1HD$HD$ff.HHHt?zƅtH=T%1H"fHٴH5%H81HH=H50ff.HHHtjHt5HH=J,1HH=yH5:0M1HfDHIH5J%H8*HHHt?ƅtH=%1HBfHH5%H81HH=H5/ff.UHoHt:H HHtH=j+1]H-iHEH]H=H5B/UHHGHt/HtH$HHHHHH=)H5.HD$HD$ɐHHGHt/HgtHIJHHHHHH=H5.HD$HD$ɐHHHt?ƅtH="1HfH1H8a1Hf.H=YH5.-ff.HHHtHt5HH=)1H@H= H5-1HfDHH8ff.@ATIHH5"HdH%(HD$1HH$ tuMd$MtsH4$L/IHt7HH=,)1IHD$dH+%(udHLA\fu5L%I$E1H=H5,HH8f.UHoHtBHHHtHH=w(1] u-H-nHEH]@H=H5J,]H)H8YHHHt?:ƅtH=3!1HbfHH5@!H81HH= H5+ff.SHHH55 H dH%(HD$1HT$0tLHCHtct$H#u9HZHHT$dH+%(uUH [HQH1@HH8I1DH=IH5 +HD$HD$ff.HHHtHt5HH=&1H H=H5*1HfDHYH5H8HHHtHt5HH=J&1HH=yH5:*M1HfDHH5H8*HHHt*H=zH1FfDH= H5)1HfDUHHtB6uH=1]HiH81]DH=H5Z)mff.HHHtHt5HH=%1HH=IH5 )1HfDHH5yH8HHHtHt5HH=$1HH=ٺH5(1HfDHIH5 H8HHHtHt5HH=:$1HH=iH5*(=1HfDH٫H5H8HHHtHt5HH=#1H0H=H5'1HfDHiH5)H8HHHt:Ht5HH=Z#1HH=H5J']1HfDHH5H8:UHH=\Ht'H5H(HHtH]1]ff.AVAUIATIUHSH HHdH%(HD$1D$ H\$Ht5ID$1LL$LD$ LH VH HE|$ $D$ H)HcH>H|$oH|$H5"NHH|$ iID$HY1HT$dH+%(;H []A\A]A^DH9\$o1ID$HuHpH8H|$~H|$LHŃZxHcHIH?Du1ۅ.fDSHCL9HH|$HHHIDHgHmuHXfDH|$HH|$ 1ID$HfDH|$H|$lHÃzxHcH1IH_Ds1DSHCI9pHH|$HHHIDHHmuHxfDH|$HcH HH5|%H8@H9\$11$ID$HHoH8H|$HGHHtK|$ HID$HcHHH8iKHH5H8*HcIDH|$ LeID$HLf.HcIDH|$ L%ID$HuH|H8'f.H51#H:H8zHmt#LK{H5#HHH5$H80@HץH5("H8 HH5"H8HH51"H8HhH5#H8RH[H5&H8H-H5#H8^pHf.AVL5sAULATOL-L8H='IHLH5 HHvLLH5 H11H=gH5cLHHHz1H5MLH5GLH5ALH5ALH5=LH5?LuH5?LaH5ALM1H5>L<H59L(H55LH50LH5/LH5,LH5)LH5&LH5#L@H5 L1H5$LwH5$LcH5%LO1H5(L>H5!L*1H5"LH5"LH5LH5L1H5 L1H5&LH5,LH5)LH5&LH5'LkH5%LWH5#LCH5$L/H5"L H5 L H5"L H5!L H5"L H5&LH5'LH5#LH5L{H5LgH5LSH5L?H5L+H5LH5 LH5!LH5#LH5%LH5#LH5(LH5)LH5(LwH5&Lc H5*LO!H5-L;"H50L'#H5.L$H51L%H54L&H57L'H5<L(H5BL)H5DL*H5EL1H5ILvH5ELbH5ALNH5?L:LA\A]A^E1LA\A]A^HHOiOs#:feedO|O:add_callbackcallback must be a functionmetrics returned NULLsssisLiisLiiii'event_kind' has no value'subject_kind' has no value'action' has no value'object_kind' has no value'how' has no valueNo recordsNo record numberINot foundNo line numbers:find_fieldNo field number'field name' is NULL'field str' is NULL'interpretation' is NULLioTextIOBase|iOTODOInvalid source typeauparse.NoParserAUSOURCE_LOGSAUSOURCE_FILEAUSOURCE_FILE_ARRAYAUSOURCE_BUFFERAUSOURCE_BUFFER_ARRAYAUSOURCE_DESCRIPTORAUSOURCE_FILE_POINTERAUSOURCE_FEEDAUSEARCH_UNSETAUSEARCH_EXISTSAUSEARCH_EQUALAUSEARCH_NOT_EQUALAUSEARCH_TIME_LTAUSEARCH_TIME_LEAUSEARCH_TIME_GEAUSEARCH_TIME_GTAUSEARCH_TIME_EQAUSEARCH_INTERPRETEDAUSEARCH_STOP_EVENTAUSEARCH_STOP_RECORDAUSEARCH_STOP_FIELDNORM_OPT_ALLNORM_OPT_NO_ATTRSAUSEARCH_RULE_CLEARAUSEARCH_RULE_ORAUSEARCH_RULE_ANDAUSEARCH_RULE_REGEXAUPARSE_CB_EVENT_READYAUPARSE_TYPE_UNCLASSIFIEDAUPARSE_TYPE_UIDAUPARSE_TYPE_GIDAUPARSE_TYPE_SYSCALLAUPARSE_TYPE_ARCHAUPARSE_TYPE_EXITAUPARSE_TYPE_ESCAPEDAUPARSE_TYPE_PERMAUPARSE_TYPE_MODEAUPARSE_TYPE_SOCKADDRAUPARSE_TYPE_FLAGSAUPARSE_TYPE_PROMISCAUPARSE_TYPE_CAPABILITYAUPARSE_TYPE_SUCCESSAUPARSE_TYPE_A0AUPARSE_TYPE_A1AUPARSE_TYPE_A2AUPARSE_TYPE_SIGNALAUPARSE_TYPE_LISTAUPARSE_TYPE_TTY_DATAAUPARSE_TYPE_SESSIONAUPARSE_TYPE_CAP_BITMAPAUPARSE_TYPE_NFPROTOAUPARSE_TYPE_ICMPTYPEAUPARSE_TYPE_PROTOCOLAUPARSE_TYPE_ADDRAUPARSE_TYPE_PERSONALITYAUPARSE_TYPE_SECCOMPAUPARSE_TYPE_OFLAGAUPARSE_TYPE_MMAPAUPARSE_TYPE_MODE_SHORTAUPARSE_TYPE_MAC_LABELAUPARSE_TYPE_PROCTITLEAUPARSE_TYPE_HOOKAUPARSE_TYPE_NETACTIONAUPARSE_TYPE_MACPROTO,AUPARSE_TYPE_IOCTL_REQAUPARSE_TYPE_ESCAPED_KEYAUPARSE_TYPE_ESCAPED_FILEAUPARSE_TYPE_FANOTIFYAUPARSE_TYPE_NLMCGRPAUPARSE_TYPE_RESOLVEAUPARSE_ESC_RAWAUPARSE_ESC_TTYAUPARSE_ESC_SHELLAUPARSE_ESC_SHELL_QUOTEflush_feedfeed_has_datafeed_has_ready_eventfeed_age_eventsset_escape_modeset_eoe_timeoutresetmetricssearch_add_expressionsearch_add_itemsearch_add_interpreted_itemsearch_add_timestamp_itemsearch_add_timestamp_item_exsearch_add_regexsearch_set_stopsearch_clearsearch_next_eventparse_next_eventaup_normalizeaup_normalize_get_event_kindaup_normalize_sessionaup_normalize_subject_primaryaup_normalize_subject_kindaup_normalize_get_actionaup_normalize_object_primaryaup_normalize_object_kindaup_normalize_get_resultsaup_normalize_howaup_normalize_keyget_timestampget_num_recordsfirst_recordnext_recordget_record_numgoto_record_numget_typeget_type_nameget_line_numberget_filenamefirst_fieldnext_fieldget_num_fieldsget_record_textfind_field_nextget_field_numgoto_field_numget_field_nameget_field_strget_field_typeget_field_intinterpret_fieldinterpret_realpathinterpret_sock_familyinterpret_sock_portinterpret_sock_addresssecEvent secondsmillimillisecond of the timestampserialSerial number of the eventhostMachine's nameauparseauparse.AuParserauparse.AuEventsource_typesourceobject has no parser associated with itsource must be None or not passed as a parameter when source_type is AUSOURCE_LOGSsource must be a string when source_type is AUSOURCE_FILEmembers of source sequence must be a string when source_type is AUSOURCE_FILE_ARRAYsource must be a sequence when source_type is AUSOURCE_FILE_ARRAYmembers of source sequence must be a string when source_type is AUSOURCE_BUFFER_ARRAYsource must be resolvable to a file descriptor when source_type is AUSOURCE_DESCRIPTORsource must be a file object when source_type is AUSOURCE_FILE_POINTERsource must be open file when source_type is AUSOURCE_FILE_POINTERsource must be None when source_type is AUSOURCE_FEEDaup_normalize_subject_secondaryaup_normalize_subject_first_attributeaup_normalize_subject_next_attributeaup_normalize_object_secondaryaup_normalize_object_first_attributeaup_normalize_object_next_attribute`(interpret_sock_address() Return an interpretation of the current field's socket address. Only supported on sockaddr field types. If the field cannot be interpreted the field is returned unmodified. Raises exception (RuntimeError) on error interpret_sock_address() Return an interpretation of the current field's socket port. Only supported on sockaddr field types. If the field cannot be interpreted the field is returned unmodified. Raises exception (RuntimeError) on error interpret_sock_family() Return an interpretation of the current field's socket family. Only supported on sockaddr field types. If the field cannot be interpreted the field is returned unmodified. Raises exception (RuntimeError) on error interpret_realpath() Return an interpretation of the current field as a realpath string that has the chosen character escaping applied. If the field cannot be interpreted the field is returned unmodified. Raises exception (RuntimeError) on error interpret_field() Return an interpretation of the current field as a string that has the chosen character escaping applied. If the field cannot be interpreted the field is returned unmodified. Raises exception (RuntimeError) on error get_field_int() Get current field’s value as an integer. get_field_int() allows access to the value as an int of the current field of the current record in the current event. Returns field's numeric value. Raises exception (EnvironmentError) on error get_field_type() Get current field’s data type value. get_field_type() returns a value from the auparse_type_t enum that describes the kind of data in the current field of the current record in the current event. Returns AUPARSE_TYPE_UNCLASSIFIED if the field’s data type has no known description or is an integer. Otherwise it returns another enum. Fields with the type AUPARSE_TYPE_ESCAPED must be interpreted to access their value since those field’s raw value is encoded. get_field_str() get current field’s value get_field_str() allows access to the value in the current field of the current record in the current event. Returns String. Raises exception (RuntimeError) on error get_field_name() Get current field’s name. get_field_name() allows access to the current field name of the current record in the current event. Returns None if the field value is unavailable. Returns String. Raises exception (RuntimeError) on error find_field(name) Search for field name. find_field() will scan all records in an event to find the first occurrence of the field name passed to it. Searching begins from the cursor’s current position. The field name is stored for subsequent searching. Returns value associated with field or None if not found. goto_field_num() Move field cursor to specific position. goto_field_num() will move the internal library cursors to point to a specific physical field number. Fields within the same record are numbered starting from 1. This is generally not needed but there are some cases where one may want precise control over the exact field being looked at. Returns True on success, False if no more fields in current event Raises exception (EnvironmentError) on error. get_field_num() get one based record number where auparse is currently at The record numbering will reset back to 1 each time a new event is processed. Raises exception (RuntimeError) on error. find_field_next() Get next occurrence of field name find_field_next() returns the value associated next occurrence of field name. Returns value associated with field or None if there is no next field. Raises exception (EnvironmentError) on error. get_record_text() Return unparsed record data get_record_text() returns the full unparsed record. Raises exception (EnvironmentError) on error. get_num_fields() Get the number of fields. Returns the number of fields in the current event. Raises exception (EnvironmentError) on error. next_field() Advance the field cursor. next_field() moves the library’s internal cursor to point to the next field in the current record of the current event. Returns True on success, False if there is no more fields exist first_field() Reposition field cursor. Returns True on success, False if there is no event data auparse_get_filename() get the filename where record was found get_filename() will return the name of the source file where the record was found if the source type is AUSOURCE_FILE or AUSOURCE_FILE_ARRAY. For other source types the return value will be None. auparse_get_line_number() get line number where record was found get_line_number will return the source input line number for the current record of the current event. Line numbers start at 1. If the source input type is AUSOURCE_FILE_ARRAY the line numbering will reset back to 1 each time a new life in the file array is opened. Raises exception (RuntimeError) on error. get_type_name() Get current record’s type name. get_type_name() allows access to the current record type name in the current event. Raises exception (LookupError) on error. get_type() Get record’s type. get_type() will return the integer value for the current record of the current event. Returns record type. Raises exception (LookupError) on error. goto_record_num() Move record cursor to specific position. goto_record_num() will move the internal library cursors to point to a specific physical record number. Records within the same event are numbered starting from 0. This is generally not needed but there are some cases where one may want precise control over the exact record being looked at. Returns True on success, False if no more records in current event Raises exception (EnvironmentError) on error. get_record_num() get one based record number where auparse is currently at The record numbering will reset back to 1 each time a new event is processed. Raises exception (RuntimeError) on error. next_record() Advance record cursor. next_record() will move the internal library cursors to point to the next record of the current event. Returns True on success, False if no more records in current event Raises exception (EnvironmentError) on error. first_record() Reposition record cursor. first_record() repositions the internal cursors of the parsing library to point to the first record in the current event. Return True for success, False if there is no event data. Raises exception (EnvironmentError) on error. get_num_records() Get the number of records. Returns the number of records in the current event. Raises exception (RuntimeError) on error. get_timestamp() Return current event's timestamp. Returns the current event's timestamp info as an AuEvent object. No Return value, raises exception (EnvironmentError) on error. aup_normalize_key() This function positions the internal cursor on the key field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_how() This returns a string that indicates the how the object is being accessed. This is usually a program. Raises exception (RuntimeError) on error aup_normalize_subject_primary() This function positions the internal cursor on the results field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_object_kind() This returns a string that indicates the kind of thing the object is. Raises exception (RuntimeError) on error aup_normalize_object_next_attribute() This function positions the internal cursor on the next object's attribute field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_object_first_attribute() This function positions the internal cursor on the object's first attribute field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_object_secondary() This function positions the internal cursor on the object's secondary field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_object_primary() This function positions the internal cursor on the object's field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_get_action() This returns a string that indicates the subject's action. Raises exception (RuntimeError) on error aup_normalize_subject_kind() This returns a string that indicates the kind of account the subject is. Raises exception (RuntimeError) on error aup_normalize_subject_next_attribute() This function positions the internal cursor on the next subject's attribute field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_subject_first_attribute() This function positions the internal cursor on the subject's first attribute field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_subject_secondary() This function positions the internal cursor on the subject's secondary field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_subject_primary() This function positions the internal cursor on the subject's field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_session() This function positions the internal cursor on the session's field of the event. Returns True on success Returns False if uninitialized Raises exception (ValueError) on error aup_normalize_get_event_kind() This returns a string that indicates what kind of event this is. Raises exception (RuntimeError) on error aup_normalize(opt) Normalize the audit event for uniform access to fields. aup_normalize() takes an argument to decide if it should also gather subject and object attributes. The possible values are: NORM_OPT_ALL: This means include subject and object attributes NORM_OPT_NO_ATTRS: This means do not gather subject and object attributes Returns True on success Returns False if uninitialized Raises exception (ValueError) on error parse_next_event() Advance the parser to the next event. parse_next_event() will position the cursors at the first field of the first record of the next event in a file or buffer. It does not skip events or honor any search criteria that may be stored. Returns True if parser advances to next event. Returns False if there are no more events to parse Raises exception (EnvironmentError) on error search_next_event() Find the next event that meets search criteria. search_next_event() will scan the input source and evaluate whether any record in an event contains the data being searched for. Evaluation is done at the record level. Returns True if a match was found Returns False if a match was not found. Raises exception (EnvironmentError) on error search_clear() Clear search parameters. ausearch_clear clears any search parameters stored in the parser instance and frees memory associated with it. No Return value. search_set_stop(where) Set where cursor is positioned on search match. search_set_stop() determines where the internal cursor will stop when a search condition is met. The possible values are: AUSEARCH_STOP_EVENT: This one repositions the cursors to the first field of the first record of the event containing the items searched for. AUSEARCH_STOP_RECORD: This one repositions the cursors to the first field of the record containing the items searched for. AUSEARCH_STOP_FIELD: This one simply stops on the current field when the evaluation of the rules becomes true. No Return value, raises exception (ValueError) on error. search_add_regex(regexp) Add a regular expression to the search criteria. No Return value, raises exception (EnvironmentError) on error. search_add_timestamp_item_ex(op, sec, milli, serial, how) Build up search rule search_add_timestamp_item_ex adds an event time condition to the current audit search expression. Its similar to search_add_timestamp_item except it adds the event serial number. search_add_timestamp_item(op, sec, milli, how) Build up search rule search_add_timestamp_item adds an event time condition to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The op parameter specifies the desired comparison. Legal op values are "<", "<=", ">=", ">" and "=". The left operand of the comparison operator is the timestamp of the examined event, the right operand is specified by the sec and milli parameters. The how parameter determines how this search expression will affect the existing search expression, if one is already defined. The possible values are: AUSEARCH_RULE_CLEAR: Clear the current search expression, if any, and use only this search expression. AUSEARCH_RULE_OR: If a search expression E is already configured, replace it by (E || this_search_expression). AUSEARCH_RULE_AND: If a search expression E is already configured, replace it by (E && this_search_expression). No Return value, raises exception (EnvironmentError) on error. search_add_interpreted_item(field, op, value, how) Build up search rule search_add_interpreted_item() adds one search condition to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The field value is the field name that the value will be checked for. The op variable describes what kind of check is to be done. Legal op values are: 'exists': Just check that a field name exists '=': locate the field name and check that the value associated with it is equal to the value given in this rule. '!=': locate the field name and check that the value associated with it is NOT equal to the value given in this rule. The value parameter is compared to the interpreted field value (the value that would be returned by AuParser.interpret_field). The how parameter determines how this search expression will affect the existing search expression, if one is already defined. The possible values are: AUSEARCH_RULE_CLEAR: Clear the current search expression, if any, and use only this search expression. AUSEARCH_RULE_OR: If a search expression E is already configured, replace it by (E || this_search_expression). AUSEARCH_RULE_AND: If a search expression E is already configured, replace it by (E && this_search_expression). No Return value, raises exception (EnvironmentError) on error. search_add_item(field, op, value, how) Build up search rule search_add_item() adds one search condition to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The field value is the field name that the value will be checked for. The op variable describes what kind of check is to be done. Legal op values are: 'exists': Just check that a field name exists '=': locate the field name and check that the value associated with it is equal to the value given in this rule. '!=': locate the field name and check that the value associated with it is NOT equal to the value given in this rule. The value parameter is compared to the uninterpreted field value. The how parameter determines how this search expression will affect the existing search expression, if one is already defined. The possible values are: AUSEARCH_RULE_CLEAR: Clear the current search expression, if any, and use only this search expression. AUSEARCH_RULE_OR: If a search expression E is already configured, replace it by (E || this_search_expression). AUSEARCH_RULE_AND: If a search expression E is already configured, replace it by (E && this_search_expression). No Return value, raises exception (EnvironmentError) on error. search_add_expression(expression, how) Build up search expression ausearch_add_item adds an expression to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The expression parameter contains an expression, as specified in ausearch-expression(5). The how parameter determines how this search expression will affect the existing search expression, if one is already defined. The possible values are: AUSEARCH_RULE_CLEAR: Clear the current search expression, if any, and use only this search expression. AUSEARCH_RULE_OR: If a search expression E is already configured, replace it by (E || this_search_expression). AUSEARCH_RULE_AND: If a search expression E is already configured, replace it by (E && this_search_expression). No Return value, raises exception (EnvironmentError) on error. metrics() Returns gets some basic information about auparse's internalstate. Returns a string holding metrics Raises exception (RuntimeError) on error reset() Reset audit parser instance reset resets all internal cursors to the beginning. It closes files and descriptors. Returns None. Raises exception (EnvironmentError) on error set_eoe_timeout(tmo) Set audit parser end of event timeout This function sets the timeout used to determine if an event is complete. Returns None. set_escape_mode(mode) Set audit parser escaping This function sets the character escaping applied to value fields in the audit record. Returns None. add_callback(callback, user_data) add a callback handler for notifications. auparse_add_callback adds a callback function to the parse state which is invoked to notify the application of parsing events. The signature of the callback is: callback(au, cb_event_type,user_data) When the callback is invoked it is passed: au: the AuParser object cb_event_type: enumerated value indicating the reason why the callback was invoked user_data: user supplied private data The cb_event_type argument indicates why the callback was invoked. It's possible values are: AUPARSE_CB_EVENT_READY A complete event has been parsed and is ready to be examined. This is logically equivalent to the parse state immediately following auparse_next_event() Returns None. Raises exception (EnvironmentError) on error feed_age_events() age events by the clock feed_age_events() should be called to timeout events by the clock. Any newly complete events will be sent to the callback function. Returns None. feed_has_ready_event() determines if there are any events that are ready to emit. Returns True if event is ready and false otherwise. feed_has_data() determines if there are any records that are accumulating but not yet ready to emit. Returns True if data left and false otherwise. flush_feed() flush any unconsumed feed data through parser flush_feed() should be called to signal the end of feed input data and flush any pending parse data through the parsing system. Returns None. Raises exception (EnvironmentError) on error feed(data) supplies new data for the parser to consume. AuParser() must have been called with a source type of AUSOURCE_FEED. The parser consumes as much data as it can invoking a user supplied callback specified with add_callback() with a cb_event_type of AUPARSE_CB_EVENT_READY each time the parser recognizes a complete event in the data stream. Data not fully parsed will persist and be prepended to the next feed data. After all data has been feed to the parser flush_feed() should be called to signal the end of input data and flush any pending parse data through the parsing system. Returns None. Raises exception (EnvironmentError) on error AuParser(source_type, source) Construct a new audit parser object and bind it to input data. source_type: one of the AUSOURCE_* constants. source: the input data, dependent on the source_type as follows: AUSOURCE_LOGS: None (system log files will be parsed) AUSOURCE_FILE: string containing file path name AUSOURCE_FILE_ARRAY: list or tuple of strings each containing a file path name AUSOURCE_BUFFER: string containing audit data to parse AUSOURCE_BUFFER_ARRAY: list or tuple of strings each containing audit data to parse AUSOURCE_DESCRIPTOR: integer file descriptor (e.g. fileno) AUSOURCE_FILE_POINTER: file object (e.g. types.FileType) AUSOURCE_FEED: None (data supplied via feed() An internal object which encapsulates the timestamp, serial number and host information of an audit event. The object cannot be instantiated from python code, rather it is returned from the audit parsing API.%a %b %d %H:%M:%S.%%ld %Y seriallocaltime errorstrftime returne;PK0RPYYZ ZHZd[@[[\ ]4]l]^^P__`(`aTax@bb@c@d e(fLfpghPii j,jTpkxk`ll`mm8`n`n@oo@pp @q@ q` 0r r s s @t tD @ul u v v `w w 0x4 xT xt `y y z @{ { |@ |` `} } ~ ~  p$ D Pd @ zRx $IpFJ w?:*3$"DXO`\`V"HYtxVEG L $VmEi B P H P H 0W4YZTW3YYxW4YZ$W=EZ A O A LL8W6FBA A(DPNHIT (H ABBF XWJ`N4XlFJA y ABC QDBY'EY 0YEQ@a AH  YOH ` H <ZoH d D U K \`Z_H d D O A |Z_H d D O A (ZDENDP AAC \mEQ P AA P\eH W A \oH d D U K ((\FAD y DBF TX]FQ0 EH x4^EQPu AD ^EQPu AD _EQ@t AE ,h`EQP^XF`RXAPP AB (aEQ0W AB 8aEQ0V AC \`bOH ` H $xbH f B O A U K $bH f B O A U K DcEQ0X AA chHc E Y G $ @dH f B O A U K $4dH f B O A U K $\dH f B O A U K $HeH f B O A U K $eH f B O A U K ehHc E Y G HfhHc E Y G $fH f B O A U K $<fH f B O A U K $dHgH f B O A U K $gH f B O A U K ghHc E Y G $HhH f B O A U K hhHc E Y G $hH f B O A U K (DHiED B AD Z AE pieHa G \ D $jH f B O A U K $tjH f B O A U K jeHa G \ D kEQ0X AA $keHa G \ D DlhHc E Y G dhleHa G \ D l]Ec H P H l_H d D O A 4m_H d D O A tmeHa G U K  maHc E Y G ( nFQ j EJ L nyEf E [ E p Jh^22"m6 mV,`7]~Bl$` Ż,Hl@#JeF4(YP^ ( roPkJ nKGd|5ِj mY8O@Zlb|zs}FBA KV0DE>s3ŷ7 u[?CsɎfcS+EX(Q3V)XbcI++fdL}FE(t]OAs;z-MT)2\<RVW?F.\\gE#:/!L"$Uϣ_#mt3t%-,WuG_5ynn[}6;Md3T!60Jv^G:,oQ؎ռ0V+큿Z|ziu T9+1CB2 yÌ8glbSngu4#QkNdhs/n Q.=BEo1B݀ .fwP.Δse >f?}7uD#_FyؕsI2;o/=U"d<ܼl2ݱ!zV} aTm071AB^=0'jRI 2IЄp-q/Qf}xAu0Q w<qOiW֞ej[3m|^J&/5V1ww2Z5)w+cSIp)+~8}IYkHY1O}aP,f3:LE'轋HCwua6-Ї,בB luMp`43b]NjK8".1-Tz Yۇu$RUB<2|iÃGy(qbn(N~yҟo:{|eo`x֣|0V +"<*Go/tҗS S:΋"G縪z=Zyw ;:̼Ǩ̋y>JVZp ]141_O/'{>UVE= Edi07FEk3 !Atmm&m\V[ڤ0Bj!wM}d(,i=z7P@g}43( f Xr