auparse_next_record - Linux


auparse_next_record parses a single audit record from the given file descriptor and returns it in a format convenient for consumption by clients. It also maintains state necessary for carrying out such parsing, including details of the audit subsystem configuration (such as field masks and format strings) and memory allocated for buffers that contain audit records.


auparse_next_record(int fd, struct au_record **record_p)

| Parameter | Description |
| fd | File descriptor from which to read audit records |
| record_p | Pointer to a pointer to a memory location that will hold the parsed audit record |


This command does not support any options or flags.


int fd;
struct au_record *record;

fd = open("audit.log", O_RDONLY);
if (fd < 0) {

while (auparse_next_record(fd, &record) == 0) {
  // Process the audit record
  free(record); // Free the memory allocated for the record


Common Issues

  • Ensure that the file descriptor provided is valid and points to a file that contains audit records.
  • Check that the memory location pointed to by record_p is valid and can accommodate the parsed audit record.
  • If auparse_next_record returns a non-zero value, it indicates that there are no more audit records to parse or an error has occurred.


auparse_next_record is typically used in conjunction with other commands or tools for analyzing or processing audit records. For example, it can be combined with aurecord to read and parse audit records from a file, or with aulast to retrieve the most recent audit records.

Related Commands

  • aurecord – Read and store audit records
  • aureport – Generate reports from audit records
  • auevent – Generate and store audit events