Merge pull request #105 from draios/add-process-output

Add ability to write output to a program
2025-07-31 22:16:49 +00:00 · 2016-08-04 16:20:48 -07:00 · 2016-08-04 16:20:48 -07:00 · 00107537b6
commit 00107537b6
parent f7ed616535 d5dbe59d85
3 changed files with 34 additions and 1 deletions
--- a/falco.yaml
+++ b/falco.yaml
@ -23,3 +23,6 @@ file_output:
 stdout_output:
  enabled: true

+program_output:
+  enabled: false
+  program: mail -s "Falco Notification" someone@example.com
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@ -54,6 +54,20 @@ void falco_configuration::init(string conf_filename, std::list<std::string> &cmd
 		m_outputs.push_back(syslog_output);
 	}

+	output_config program_output;
+	program_output.name = "program";
+	if (m_config->get_scalar<bool>("program_output", "enabled", false))
+	{
+		string program;
+		program = m_config->get_scalar<string>("program_output", "program", "");
+		if (program == string(""))
+		{
+			throw sinsp_exception("Error reading config file (" + m_config_file + "): program output enabled but no program in configuration block");
+		}
+		program_output.options["program"] = program;
+		m_outputs.push_back(program_output);
+	}
+
 	if (m_outputs.size() == 0)
 	{
 		throw sinsp_exception("Error reading config file (" + m_config_file + "): No outputs configured. Please configure at least one output file output enabled but no filename in configuration block");
--- a/userspace/falco/lua/output.lua
+++ b/userspace/falco/lua/output.lua
@ -27,7 +27,7 @@ function mod.file_validate(options)
 end

 function mod.file(evt, rule, level, format, options)
-   format = "%evt.time: "..levels[level+1].." "..format
+   format = "*%evt.time: "..levels[level+1].." "..format
   formatter = falco.formatter(format)
   msg = falco.format_event(evt, rule, levels[level+1], formatter)

@ -43,6 +43,22 @@ function mod.syslog(evt, rule, level, format)
   falco.syslog(level, msg)
 end

+function mod.program(evt, rule, level, format, options)
+
+   format = "*%evt.time: "..levels[level+1].." "..format
+   formatter = falco.formatter(format)
+   msg = falco.format_event(evt, rule, levels[level+1], formatter)
+
+   -- XXX Ideally we'd check that the program ran
+   -- successfully. However, the luajit we're using returns true even
+   -- when the shell can't run the program.
+
+   file = io.popen(options.program, "w")
+
+   file:write(msg, "\n")
+   file:close()
+end
+
 function mod.event(event, rule, level, format)
   for index,o in ipairs(outputs) do
      o.output(event, rule, level, format, o.config)