28c28
< .\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $
---
> .\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
108,113c108,118
< Select records containing the given path name.
< file="/usr" matches paths
< starting with
< .Pa usr .
< file="~/usr" matches paths not starting with
< .Pa usr .
---
> Select records containing path tokens, where the pathname matches
> one of the comma delimited extended regular expression contained in
> given specification.
> Regular expressions which are prefixed with a tilde (~) are excluded
> from the search results.
> These extended regular expressions are processed from left to right,
> and a path will either be selected or deslected based on the first match.
> .Pp
> Since commas are used to delimit the regular expressions, a backslash (\\)
> character should be used to escape the comma if it's a part of the search
> pattern.
138a144,167
> .Pp
> Output from the above command lines will typically be piped to a new trail
> file, or via standard output to the
> .Xr praudit 1
> command.
> .Pp
> Select all records containing a path token where the pathname contains
> .Pa /etc/master.passwd
> .Pp
> .Nm
> -ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
> .Pp
> Select all records containing path tokens, where the pathname is a TTY
> device:
> .Pp
> .Nm
> -ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
> .Pp
> Select all records containing path tokens, where the pathname is a TTY
> except for
> .Pa /dev/ttyp2
> .Pp
> .Nm
> -ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
< .\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $
---
> .\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
108,113c108,118
< Select records containing the given path name.
< file="/usr" matches paths
< starting with
< .Pa usr .
< file="~/usr" matches paths not starting with
< .Pa usr .
---
> Select records containing path tokens, where the pathname matches
> one of the comma delimited extended regular expression contained in
> given specification.
> Regular expressions which are prefixed with a tilde (~) are excluded
> from the search results.
> These extended regular expressions are processed from left to right,
> and a path will either be selected or deslected based on the first match.
> .Pp
> Since commas are used to delimit the regular expressions, a backslash (\\)
> character should be used to escape the comma if it's a part of the search
> pattern.
138a144,167
> .Pp
> Output from the above command lines will typically be piped to a new trail
> file, or via standard output to the
> .Xr praudit 1
> command.
> .Pp
> Select all records containing a path token where the pathname contains
> .Pa /etc/master.passwd
> .Pp
> .Nm
> -ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
> .Pp
> Select all records containing path tokens, where the pathname is a TTY
> device:
> .Pp
> .Nm
> -ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
> .Pp
> Select all records containing path tokens, where the pathname is a TTY
> except for
> .Pa /dev/ttyp2
> .Pp
> .Nm
> -ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634