When you add a new file to the list of files to be monitored by the module, you must provide a value for the record format attribute. This attribute defines the format of the file being monitored. This value is needed if the fileparse binary is specified as the only required validation script. The fileparse binary checks the record format as part of the validation performed on the file. The record format is a hidden attribute of the file entry in the Watched File table. You will not see this attribute displayed once it is defined, unless you choose to edit the file's entry. For more information, see Validation Script.
The following list describes supported datatypes for record_format:
datatype = {STRING, INT, IPADDRESS, ZERO_STRING, RANGE_INT, CHOICE_INT, CHOICE_STRING CONST}
where
The string cannot be empty
The string can be empty or not empty
The integer must match one of the strings specified
The integer must match one of the integers specified
The string must match one of the strings specified
The field value must match
The grammar also supports the following values:
Ranges for numbers, such as RANGE_INT (1...9)
A list of possible values for numbers and strings, such as:
CHOICE_INT (0|1)
CHOICE_STRING (true|false)
The character “|” is not allowed in the choice list of strings. These strings can only be embedded in double quotes if they appear within double quotes in the monitored file. INT values can only be positive values. Negative values for INT are not supported.
A constant string can be declared by enclosing it in double quotes, as shown in the following example:
"+" | "-" | STRING STRING
The available operators are as follows:
operator = | , [], *
where
Means “or”. For example, - line-format = "+" | "-" | STRING STRING
Means optional. For example, - line-format = STRING [STRING|IPADDRESS]
Means zero or multiple repetition of one datatype. For example: - line-format= IPADDRESS STRING STRING*
The following example shows the record format to validate /etc/passwd:
STRING STRING INT INT ZERO_STRING STRING ZERO_STRING | "+" | "-"
The precedence of the operators is as follows:
[] , | , *