Reading the Desired Audit Records into a Buffer

The dce_aud_next( ) function allows you to specify a criteria that will be used in selecting the records that will be read from the file. This criteria is known as predicates and is expressed by setting the condition on the value of certain attributes. The condition is set by using any of the following operators: = (equal to), > (greater than), and < (less than).

Predicates can be expressed in any of the following forms:

· attribute=value

· attribute>value

· attribute<value

The following list summarizes these attributes and their acceptable values:

SERVER UUID of the principal that generated the record

EVENT Audit event number

OUTCOME Event outcome of the record

STATUS Authorization status of the application client

CLIENT UUID of the client principal

TIME Time when the record was generated.

CELL The UUID of the application client's cell

GROUP The UUID of the application client's group or groups

ADDR The address (binding handle) of the client

FORMAT The format version number of the audit event record

Details of these attributes, their values, and the allowable operators are discussed in the OSF DCE Application Development Reference.

For example, to have the function retrieve audit records that pertain to the event number 0xC01000001 only, you can set the predicate to the following:

EVENT=0xC01000001

If the predicate parameter is set to NULL (that is, no criteria), the next audit record is read. For example, to read the next audit record in a previously opened audit trail file, the following call is made:

dce_aud_next(out_trail, NULL, &out_ard, status);

You can specify multiple predicates, in which case the predicates are treated as a logical AND condition.

The dce_aud_next( ) function returns a pointer to the record that was read. This pointer is used by the dce_aud_print( ), dce_aud_get_ev_info( ), and dce_aud_get_header( ) functions in transforming the audit records into ASCII format.