Aside crypto-auditing-agent, we provide the following commands:

• crypto-auditing-log-parser: directly parse the log file, mostly for testing
• crypto-auditing-event-broker: used with -client, enables real-time monitoring of events
• crypto-auditing-client: used with -event-broker, enables real-time monitoring of events

Given the primary use-case is to examine the stored logs, I think it would be more intuitive if we instead provide two commands: "query" and "monitor". Maybe we might also want to abbreviate the "crypto-auditing" prefix, such as "crau". All in all, I'd propose deprecating those 3 commands and introduce:

• crau-query: shows the log content in a JSON form, optionally taking an expression such as: name = pk::sign AND pk::algorithm = "RSA"
• crau-monitor: watches the log files and prints any new events, optionally taking a matching expression